From df5afa4fcd9725380f94ca6476248d4cc24f889a Mon Sep 17 00:00:00 2001 From: Ashlee Young Date: Sun, 29 Nov 2015 08:22:13 -0800 Subject: v2.4.4 audit sources Change-Id: I9315a7408817db51edf084fb4d27fbb492785084 Signed-off-by: Ashlee Young --- framework/src/audit/auparse/test/Makefile.am | 91 +++ framework/src/audit/auparse/test/auparse_test.c | 469 ++++++++++++ framework/src/audit/auparse/test/auparse_test.py | 262 +++++++ framework/src/audit/auparse/test/auparse_test.ref | 803 +++++++++++++++++++++ .../src/audit/auparse/test/auparse_test.ref.py | 793 ++++++++++++++++++++ framework/src/audit/auparse/test/test.log | 10 + framework/src/audit/auparse/test/test2.log | 10 + 7 files changed, 2438 insertions(+) create mode 100644 framework/src/audit/auparse/test/Makefile.am create mode 100644 framework/src/audit/auparse/test/auparse_test.c create mode 100755 framework/src/audit/auparse/test/auparse_test.py create mode 100644 framework/src/audit/auparse/test/auparse_test.ref create mode 100644 framework/src/audit/auparse/test/auparse_test.ref.py create mode 100644 framework/src/audit/auparse/test/test.log create mode 100644 framework/src/audit/auparse/test/test2.log (limited to 'framework/src/audit/auparse/test') diff --git a/framework/src/audit/auparse/test/Makefile.am b/framework/src/audit/auparse/test/Makefile.am new file mode 100644 index 00000000..19793508 --- /dev/null +++ b/framework/src/audit/auparse/test/Makefile.am @@ -0,0 +1,91 @@ +# Makefile.am -- +# Copyright 2006-08,2014-15 Red Hat Inc., Durham, North Carolina. +# All Rights Reserved. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Authors: +# Steve Grubb +# + +CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur +AUTOMAKE_OPTIONS = no-dependencies +check_PROGRAMS = auparse_test +dist_check_SCRIPTS = auparse_test.py +EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log + +AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib + +auparse_test_SOURCES = auparse_test.c +auparse_test_LDFLAGS = -static +auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/lib/libaudit.la + +drop_srcdir = sed 's,$(srcdir)/test,test,' + +check: auparse_test + test "$(top_srcdir)" = "$(top_builddir)" || \ + cp $(top_srcdir)/auparse/test/test*.log . + LC_ALL=C \ + ./auparse_test > auparse_test.cur + diff -u $(top_srcdir)/auparse/test/auparse_test.ref auparse_test.cur +if HAVE_PYTHON + cp ${top_builddir}/bindings/swig/python/.libs/_audit.so ${top_builddir}/bindings/swig/python + PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ + LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \ + srcdir=$(srcdir) $(srcdir)/auparse_test.py \ + | $(drop_srcdir) > auparse_test.cur + diff -u $(top_srcdir)/auparse/test/auparse_test.ref.py auparse_test.cur +endif + echo -e "===================\nAuparse Test Passes\n===================" + +diffcheck: auparse_test + ./auparse_test > auparse_test.cur + diff -u $(srcdir)/auparse_test.ref auparse_test.cur + +memcheck: auparse_test + valgrind --leak-check=yes --show-reachable=yes ./auparse_test + +pycheck: auparse_test.py +if HAVE_PYTHON + PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ + LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \ + srcdir=$(srcdir) $(srcdir)/auparse_test.py +endif + +pydiffcheck: auparse_test.py +if HAVE_PYTHON + PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ + LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \ + srcdir=$(srcdir) $(srcdir)/auparse_test.py \ + | $(drop_srcdir) > auparse_test.cur + diff $(srcdir)/auparse_test.ref auparse_test.cur +endif + +pymemcheck: auparse_test.py +if HAVE_PYTHON + PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ + LD_LIBRARY_PATH=${top_builddir}/auparse/.libs srcdir=$(srcdir) valgrind --leak-check=yes --show-reachable=yes python $(srcdir)/auparse_test.py + +${top_builddir}/bindings/python/build/*/auparse.so: ${top_srcdir}/bindings/python/auparse_python.c + cd ${top_builddir}/bindings/python && make +endif + +clean-generic: + $(RM) *.cur +if HAVE_PYTHON + $(RM) ${top_builddir}/bindings/swig/python/_audit.so +endif + test "$(top_srcdir)" = "$(top_builddir)" || $(RM) test*.log diff --git a/framework/src/audit/auparse/test/auparse_test.c b/framework/src/audit/auparse/test/auparse_test.c new file mode 100644 index 00000000..a6477d41 --- /dev/null +++ b/framework/src/audit/auparse/test/auparse_test.c @@ -0,0 +1,469 @@ +#include +#include +#include +#include +#include +#include +#include +#include + + +static const char *buf[] = { + "type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\n" + "type=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n", + + "type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n", + + NULL +}; + + +static void walk_test(auparse_state_t *au) +{ + int event_cnt = 1, record_cnt; + + do { + if (auparse_first_record(au) <= 0) { + printf("Error getting first record (%s)\n", + strerror(errno)); + exit(1); + } + printf("event %d has %d records\n", event_cnt, + auparse_get_num_records(au)); + record_cnt = 1; + do { + printf(" record %d of type %d(%s) has %d fields\n", + record_cnt, + auparse_get_type(au), + audit_msg_type_to_name(auparse_get_type(au)), + auparse_get_num_fields(au)); + printf(" line=%d file=%s\n", + auparse_get_line_number(au), + auparse_get_filename(au) ? + auparse_get_filename(au) : "None"); + const au_event_t *e = auparse_get_timestamp(au); + if (e == NULL) { + printf("Error getting timestamp - aborting\n"); + exit(1); + } + printf(" event time: %u.%u:%lu, host=%s\n", + (unsigned)e->sec, + e->milli, e->serial, e->host ? e->host : "?"); + auparse_first_field(au); + do { + printf(" %s=%s (%s)\n", + auparse_get_field_name(au), + auparse_get_field_str(au), + auparse_interpret_field(au)); + } while (auparse_next_field(au) > 0); + printf("\n"); + record_cnt++; + } while(auparse_next_record(au) > 0); + event_cnt++; + } while (auparse_next_event(au) > 0); +} + +void light_test(auparse_state_t *au) +{ + int record_cnt; + + do { + if (auparse_first_record(au) <= 0) { + puts("Error getting first record"); + exit(1); + } + printf("event has %d records\n", auparse_get_num_records(au)); + record_cnt = 1; + do { + printf(" record %d of type %d(%s) has %d fields\n", + record_cnt, + auparse_get_type(au), + audit_msg_type_to_name(auparse_get_type(au)), + auparse_get_num_fields(au)); + printf(" line=%d file=%s\n", + auparse_get_line_number(au), + auparse_get_filename(au) ? + auparse_get_filename(au) : "None"); + const au_event_t *e = auparse_get_timestamp(au); + if (e == NULL) { + printf("Error getting timestamp - aborting\n"); + exit(1); + } + printf(" event time: %u.%u:%lu, host=%s\n", + (unsigned)e->sec, + e->milli, e->serial, + e->host ? e->host : "?"); + printf("\n"); + record_cnt++; + } while(auparse_next_record(au) > 0); + + } while (auparse_next_event(au) > 0); +} + +void simple_search(ausource_t source, austop_t where) +{ + auparse_state_t *au; + const char *val; + + if (source == AUSOURCE_FILE) { + au = auparse_init(AUSOURCE_FILE, "./test.log"); + val = "4294967295"; + } else { + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + val = "848"; + } + if (au == NULL) { + printf("auparse_init error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_add_item(au, "auid", "=", val, AUSEARCH_RULE_CLEAR)){ + printf("ausearch_add_item error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_set_stop(au, where)){ + printf("ausearch_set_stop error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_next_event(au) <= 0) + printf("Error searching for auid - %s\n", strerror(errno)); + else + printf("Found %s = %s\n", auparse_get_field_name(au), + auparse_get_field_str(au)); + auparse_destroy(au); +} + +void compound_search(ausearch_rule_t how) +{ + auparse_state_t *au; + + au = auparse_init(AUSOURCE_FILE, "./test.log"); + if (au == NULL) { + printf("auparse_init error - %s\n", strerror(errno)); + exit(1); + } + if (how == AUSEARCH_RULE_AND) { + if (ausearch_add_item(au, "uid", "=", "0", + AUSEARCH_RULE_CLEAR)){ + printf("ausearch_add_item 1 error - %s\n", + strerror(errno)); + exit(1); + } + if (ausearch_add_item(au, "pid", "=", "13015", how)){ + printf("ausearch_add_item 2 error - %s\n", + strerror(errno)); + exit(1); + } + if (ausearch_add_item(au, "type", "=", "USER_START", how)){ + printf("ausearch_add_item 3 error - %s\n", + strerror(errno)); + exit(1); + } + } else { + if (ausearch_add_item(au, "auid", "=", "42", + AUSEARCH_RULE_CLEAR)){ + printf("ausearch_add_item 4 error - %s\n", + strerror(errno)); + exit(1); + } + // should stop on this one + if (ausearch_add_item(au, "auid", "=", "0", how)){ + printf("ausearch_add_item 5 error - %s\n", + strerror(errno)); + exit(1); + } + if (ausearch_add_item(au, "auid", "=", "500", how)){ + printf("ausearch_add_item 6 error - %s\n", + strerror(errno)); + exit(1); + } + } + if (ausearch_set_stop(au, AUSEARCH_STOP_FIELD)){ + printf("ausearch_set_stop error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_next_event(au) <= 0) + printf("Error searching for auid - %s\n", strerror(errno)); + else + printf("Found %s = %s\n", auparse_get_field_name(au), + auparse_get_field_str(au)); + auparse_destroy(au); +} + +void regex_search(const char *expr) +{ + auparse_state_t *au; + int rc; + + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + if (au == NULL) { + printf("auparse_init error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_add_regex(au, expr)){ + printf("ausearch_add_regex error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){ + printf("ausearch_set_stop error - %s\n", strerror(errno)); + exit(1); + } + rc = ausearch_next_event(au); + if (rc < 0) + printf("Error searching for %s - %s\n", expr, strerror(errno)); + else if (rc == 0) + printf("Not found\n"); + else + printf("Found %s = %s\n", auparse_get_field_name(au), + auparse_get_field_str(au)); + auparse_destroy(au); +} + +static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data) +{ + int *event_cnt = (int *)user_data; + int record_cnt; + + if (cb_event_type == AUPARSE_CB_EVENT_READY) { + if (auparse_first_record(au) <= 0) { + printf("can't get first record\n"); + return; + } + printf("event %d has %d records\n", *event_cnt, + auparse_get_num_records(au)); + record_cnt = 1; + do { + printf(" record %d of type %d(%s) has %d fields\n", + record_cnt, + auparse_get_type(au), + audit_msg_type_to_name(auparse_get_type(au)), + auparse_get_num_fields(au)); + printf(" line=%d file=%s\n", + auparse_get_line_number(au), + auparse_get_filename(au) ? + auparse_get_filename(au) : "None"); + const au_event_t *e = auparse_get_timestamp(au); + if (e == NULL) { + return; + } + printf(" event time: %u.%u:%lu, host=%s\n", + (unsigned)e->sec, + e->milli, e->serial, + e->host ? e->host : "?"); + auparse_first_field(au); + do { + printf(" %s=%s (%s)\n", + auparse_get_field_name(au), + auparse_get_field_str(au), + auparse_interpret_field(au)); + } while (auparse_next_field(au) > 0); + printf("\n"); + record_cnt++; + } while(auparse_next_record(au) > 0); + (*event_cnt)++; + } +} + +int main(void) +{ + //char *files[4] = { "test.log", "test2.log", "test3.log", NULL }; + char *files[3] = { "test.log", "test2.log", NULL }; + setlocale (LC_ALL, ""); + auparse_state_t *au; + + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + + printf("Starting Test 1, iterate...\n"); + while (auparse_next_event(au) > 0) { + if (auparse_find_field(au, "auid")) { + printf("%s=%s\n", auparse_get_field_name(au), + auparse_get_field_str(au)); + printf("interp auid=%s\n", auparse_interpret_field(au)); + } else + printf("Error iterating to auid\n"); + } + auparse_reset(au); + while (auparse_next_event(au) > 0) { + if (auparse_find_field(au, "auid")) { + do { + printf("%s=%s\n", auparse_get_field_name(au), + auparse_get_field_str(au)); + printf("interp auid=%s\n", auparse_interpret_field(au)); + } while (auparse_find_field_next(au)); + } else + printf("Error iterating to auid\n"); + } + printf("Test 1 Done\n\n"); + + /* Reset, now lets go to beginning and walk the list manually */ + printf("Starting Test 2, walk events, records, and fields...\n"); + auparse_reset(au); + walk_test(au); + auparse_destroy(au); + printf("Test 2 Done\n\n"); + + /* Reset, now lets go to beginning and walk the list manually */ + printf("Starting Test 3, walk events, records of 1 buffer...\n"); + au = auparse_init(AUSOURCE_BUFFER, buf[1]); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + light_test(au); + auparse_destroy(au); + printf("Test 3 Done\n\n"); + + printf("Starting Test 4, walk events, records of 1 file...\n"); + au = auparse_init(AUSOURCE_FILE, "./test.log"); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + walk_test(au); + auparse_destroy(au); + printf("Test 4 Done\n\n"); + + printf("Starting Test 5, walk events, records of 2 files...\n"); + au = auparse_init(AUSOURCE_FILE_ARRAY, files); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + walk_test(au); + auparse_destroy(au); + printf("Test 5 Done\n\n"); + + printf("Starting Test 6, search...\n"); + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + if (ausearch_add_item(au, "auid", "=", "500", AUSEARCH_RULE_CLEAR)){ + printf("Error - %s", strerror(errno)); + return 1; + } + if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){ + printf("Error - %s", strerror(errno)); + exit(1); + } + if (ausearch_next_event(au) != 0) { + printf("Error search found something it shouldn't have\n"); + } + puts("auid = 500 not found...which is correct"); + ausearch_clear(au); + auparse_destroy(au); + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + if (ausearch_add_item(au,"auid", "exists", NULL, AUSEARCH_RULE_CLEAR)){ + printf("Error - %s", strerror(errno)); + return 1; + } + if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){ + printf("Error - %s", strerror(errno)); + exit(1); + } + if (ausearch_next_event(au) <= 0) { + printf("Error searching for existence of auid\n"); + } + puts("auid exists...which is correct"); + puts("Testing BUFFER_ARRAY, stop on field"); + simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_FIELD); + puts("Testing BUFFER_ARRAY, stop on record"); + simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_RECORD); + puts("Testing BUFFER_ARRAY, stop on event"); + simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_EVENT); + puts("Testing test.log, stop on field"); + simple_search(AUSOURCE_FILE, AUSEARCH_STOP_FIELD); + puts("Testing test.log, stop on record"); + simple_search(AUSOURCE_FILE, AUSEARCH_STOP_RECORD); + puts("Testing test.log, stop on event"); + simple_search(AUSOURCE_FILE, AUSEARCH_STOP_EVENT); + auparse_destroy(au); + printf("Test 6 Done\n\n"); + + printf("Starting Test 7, compound search...\n"); + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + compound_search(AUSEARCH_RULE_AND); + compound_search(AUSEARCH_RULE_OR); + auparse_destroy(au); + printf("Test 7 Done\n\n"); + + printf("Starting Test 8, regex search...\n"); + puts("Doing regex match..."); + regex_search("1143146623"); + puts("Doing regex wildcard search..."); + regex_search("11431466.*146"); + printf("Test 8 Done\n\n"); + + /* Note: this should match Test 2 exactly */ + printf("Starting Test 9, buffer feed...\n"); + { + int event_cnt = 1; + size_t len, chunk_len = 3; + const char **cur_buf, *p_beg, *p_end, *p_chunk_beg, + *p_chunk_end; + + au = auparse_init(AUSOURCE_FEED, 0); + auparse_add_callback(au, auparse_callback, &event_cnt, NULL); + for (cur_buf = buf, p_beg = *cur_buf; *cur_buf; + cur_buf++, p_beg = *cur_buf) { + len = strlen(p_beg); + p_end = p_beg + len; + p_chunk_beg = p_beg; + while (p_chunk_beg < p_end) { + p_chunk_end = p_chunk_beg + chunk_len; + if (p_chunk_end > p_end) + p_chunk_end = p_end; + + //fwrite(p_chunk_beg, 1, + // p_chunk_end-p_chunk_beg, stdout); + auparse_feed(au, p_chunk_beg, + p_chunk_end-p_chunk_beg); + p_chunk_beg = p_chunk_end; + } + } + + auparse_flush_feed(au); + auparse_destroy(au); + } + printf("Test 9 Done\n\n"); + + /* Note: this should match Test 4 exactly */ + printf("Starting Test 10, file feed...\n"); + { + int *event_cnt = malloc(sizeof(int)); + size_t len; + char filename[] = "./test.log"; + char buf[4]; + FILE *fp; + + *event_cnt = 1; + au = auparse_init(AUSOURCE_FEED, 0); + auparse_add_callback(au, auparse_callback, event_cnt, free); + if ((fp = fopen(filename, "r")) == NULL) { + fprintf(stderr, "could not open '%s', %s\n", + filename, strerror(errno)); + return 1; + } + while ((len = fread(buf, 1, sizeof(buf), fp))) { + auparse_feed(au, buf, len); + } + + fclose(fp); + auparse_flush_feed(au); + auparse_destroy(au); + } + printf("Test 10 Done\n\n"); + + puts("Finished non-admin tests\n"); + + return 0; +} + diff --git a/framework/src/audit/auparse/test/auparse_test.py b/framework/src/audit/auparse/test/auparse_test.py new file mode 100755 index 00000000..9d9a5c4d --- /dev/null +++ b/framework/src/audit/auparse/test/auparse_test.py @@ -0,0 +1,262 @@ +#!/usr/bin/env python + +import os +srcdir = os.getenv('srcdir') + +buf = ["type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\ntype=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n", +"type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n", +] +files = [srcdir + "/test.log", srcdir + "/test2.log"] + +import sys +import time +load_path = '../../bindings/python/build/lib.linux-i686-2.4' +if False: + sys.path.insert(0, load_path) + +import auparse +import audit + +def none_to_null(s): + 'used so output matches C version' + if s is None: + return '(null)' + else: + return s + +def walk_test(au): + event_cnt = 1 + + au.reset() + while True: + if not au.first_record(): + print "Error getting first record" + sys.exit(1) + + print "event %d has %d records" % (event_cnt, au.get_num_records()) + + record_cnt = 1 + while True: + print " record %d of type %d(%s) has %d fields" % \ + (record_cnt, + au.get_type(), audit.audit_msg_type_to_name(au.get_type()), + au.get_num_fields()) + print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) + event = au.get_timestamp() + if event is None: + print "Error getting timestamp - aborting" + sys.exit(1) + + print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) + au.first_field() + while True: + print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) + if not au.next_field(): break + print + record_cnt += 1 + if not au.next_record(): break + event_cnt += 1 + if not au.parse_next_event(): break + + +def light_test(au): + while True: + if not au.first_record(): + print "Error getting first record" + sys.exit(1) + + print "event has %d records" % (au.get_num_records()) + + record_cnt = 1 + while True: + print " record %d of type %d(%s) has %d fields" % \ + (record_cnt, + au.get_type(), audit.audit_msg_type_to_name(au.get_type()), + au.get_num_fields()) + print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) + event = au.get_timestamp() + if event is None: + print "Error getting timestamp - aborting" + sys.exit(1) + + print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) + print + record_cnt += 1 + if not au.next_record(): break + if not au.parse_next_event(): break + +def simple_search(au, source, where): + + if source == auparse.AUSOURCE_FILE: + au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); + val = "4294967295" + else: + au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) + val = "848" + + au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR) + au.search_set_stop(where) + if not au.search_next_event(): + print "Error searching for auid" + else: + print "Found %s = %s" % (au.get_field_name(), au.get_field_str()) + +def compound_search(au, how): + au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); + if how == auparse.AUSEARCH_RULE_AND: + au.search_add_item("uid", "=", "0", auparse.AUSEARCH_RULE_CLEAR) + au.search_add_item("pid", "=", "13015", how) + au.search_add_item("type", "=", "USER_START", how) + else: + au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR) + # should stop on this one + au.search_add_item("auid", "=", "0", how) + au.search_add_item("auid", "=", "500", how) + + au.search_set_stop(auparse.AUSEARCH_STOP_FIELD) + if not au.search_next_event(): + print "Error searching for auid" + else: + print "Found %s = %s" % (au.get_field_name(), au.get_field_str()) + +def feed_callback(au, cb_event_type, event_cnt): + if cb_event_type == auparse.AUPARSE_CB_EVENT_READY: + if not au.first_record(): + print "Error getting first record" + sys.exit(1) + + print "event %d has %d records" % (event_cnt[0], au.get_num_records()) + + record_cnt = 1 + while True: + print " record %d of type %d(%s) has %d fields" % \ + (record_cnt, + au.get_type(), audit.audit_msg_type_to_name(au.get_type()), + au.get_num_fields()) + print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) + event = au.get_timestamp() + if event is None: + print "Error getting timestamp - aborting" + sys.exit(1) + + print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) + au.first_field() + while True: + print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) + if not au.next_field(): break + print + record_cnt += 1 + if not au.next_record(): break + event_cnt[0] += 1 + +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) + +print "Starting Test 1, iterate..." +while au.parse_next_event(): + if au.find_field("auid"): + print "%s=%s" % (au.get_field_name(), au.get_field_str()) + print "interp auid=%s" % (au.interpret_field()) + else: + print "Error iterating to auid" +print "Test 1 Done\n" + +# Reset, now lets go to beginning and walk the list manually */ +print "Starting Test 2, walk events, records, and fields..." +au.reset() +walk_test(au) +print "Test 2 Done\n" + +# Reset, now lets go to beginning and walk the list manually */ +print "Starting Test 3, walk events, records of 1 buffer..." +au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1]) +light_test(au); +print "Test 3 Done\n" + +print "Starting Test 4, walk events, records of 1 file..." +au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); +walk_test(au); +print "Test 4 Done\n" + +print "Starting Test 5, walk events, records of 2 files..." +au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files); +walk_test(au); +print "Test 5 Done\n" + +print "Starting Test 6, search..." +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) +au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR) +au.search_set_stop(auparse.AUSEARCH_STOP_EVENT) +if au.search_next_event(): + print "Error search found something it shouldn't have" +else: + print "auid = 500 not found...which is correct" +au.search_clear() +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) +#au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR) +au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR) +au.search_set_stop(auparse.AUSEARCH_STOP_EVENT) +if not au.search_next_event(): + print "Error searching for existence of auid" +print "auid exists...which is correct" +print "Testing BUFFER_ARRAY, stop on field" +simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD) +print "Testing BUFFER_ARRAY, stop on record" +simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD) +print "Testing BUFFER_ARRAY, stop on event" +simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT) +print "Testing test.log, stop on field" +simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD) +print "Testing test.log, stop on record" +simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD) +print "Testing test.log, stop on event" +simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT) +print "Test 6 Done\n" + +print "Starting Test 7, compound search..." +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) +compound_search(au, auparse.AUSEARCH_RULE_AND) +compound_search(au, auparse.AUSEARCH_RULE_OR) +print "Test 7 Done\n" + +print "Starting Test 8, regex search..." +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) +print "Doing regex match...\n" +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) +print "Test 8 Done\n" + +# Note: this should match Test 2 exactly +# Note: this should match Test 2 exactly +print "Starting Test 9, buffer feed..." +au = auparse.AuParser(auparse.AUSOURCE_FEED); +event_cnt = 1 +au.add_callback(feed_callback, [event_cnt]) +chunk_len = 3 +for s in buf: + s_len = len(s) + beg = 0 + while beg < s_len: + end = min(s_len, beg + chunk_len) + data = s[beg:end] + beg += chunk_len + au.feed(data) +au.flush_feed() +print "Test 9 Done\n" + +# Note: this should match Test 4 exactly +print "Starting Test 10, file feed..." +au = auparse.AuParser(auparse.AUSOURCE_FEED); +event_cnt = 1 +au.add_callback(feed_callback, [event_cnt]) +f = open(srcdir + "/test.log"); +while True: + data = f.read(4) + if not data: break + au.feed(data) +au.flush_feed() +print "Test 10 Done\n" + +print "Finished non-admin tests\n" + +au = None +sys.exit(0) + diff --git a/framework/src/audit/auparse/test/auparse_test.ref b/framework/src/audit/auparse/test/auparse_test.ref new file mode 100644 index 00000000..6cc399bd --- /dev/null +++ b/framework/src/audit/auparse/test/auparse_test.ref @@ -0,0 +1,803 @@ +Starting Test 1, iterate... +auid=4294967295 +interp auid=unset +auid=848 +interp auid=unknown(848) +auid=848 +interp auid=unknown(848) +auid=4294967295 +interp auid=unset +auid=848 +interp auid=unknown(848) +auid=848 +interp auid=unknown(848) +auid=848 +interp auid=unknown(848) +Test 1 Done + +Starting Test 2, walk events, records, and fields... +event 1 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=1 file=None + event time: 1143146623.787:142, host=? + type=LOGIN (LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=4294967295 (unset) + auid=848 (unknown(848)) + +event 2 has 1 records + record 1 of type 1300(SYSCALL) has 24 fields + line=2 file=None + event time: 1143146623.875:143, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=188 (setxattr) + success=yes (yes) + exit=0 (0) + a0=7fffffa9a9f0 (0x7fffffa9a9f0) + a1=3958d11333 (0x3958d11333) + a2=5131f0 (0x5131f0) + a3=20 (0x20) + items=1 (1) + pid=2027 (2027) + auid=848 (unknown(848)) + uid=0 (root) + gid=0 (root) + euid=0 (root) + suid=0 (root) + fsuid=0 (root) + egid=0 (root) + sgid=0 (root) + fsgid=0 (root) + tty=tty3 (tty3) + comm="login" (login) + exe="/bin/login" (/bin/login) + subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) + +event 3 has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=3 file=None + event time: 1143146623.879:146, host=? + type=USER_LOGIN (USER_LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=848 (unknown(848)) + uid=848 (unknown(848)) + exe="/bin/login" (/bin/login) + hostname=? (?) + addr=? (?) + terminal=tty3 (tty3) + res=success (success) + +Test 2 Done + +Starting Test 3, walk events, records of 1 buffer... +event has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=1 file=None + event time: 1143146623.879:146, host=? + +Test 3 Done + +Starting Test 4, walk events, records of 1 file... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=./test.log + event time: 1170021493.977:293, host=? + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=./test.log + event time: 1170021493.977:293, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=./test.log + event time: 1170021493.977:293, host=? + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=./test.log + event time: 1170021493.977:293, host=? + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=./test.log + event time: 1170021601.340:294, host=? + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=./test.log + event time: 1170021601.342:295, host=? + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=./test.log + event time: 1170021601.343:296, host=? + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=./test.log + event time: 1170021601.344:297, host=? + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=./test.log + event time: 1170021601.364:298, host=? + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=./test.log + event time: 1170021601.366:299, host=? + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 4 Done + +Starting Test 5, walk events, records of 2 files... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=test.log + event time: 1170021493.977:293, host=? + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=test.log + event time: 1170021493.977:293, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test.log + event time: 1170021493.977:293, host=? + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=test.log + event time: 1170021493.977:293, host=? + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=test.log + event time: 1170021601.340:294, host=? + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=test.log + event time: 1170021601.342:295, host=? + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=test.log + event time: 1170021601.343:296, host=? + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=test.log + event time: 1170021601.344:297, host=? + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=test.log + event time: 1170021601.364:298, host=? + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=test.log + event time: 1170021601.366:299, host=? + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 8 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=test2.log + event time: 1170021493.977:293, host=? + type=AVC (AVC) + seresult=denied (denied) + seperms=read (read) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=test2.log + event time: 1170021493.977:293, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test2.log + event time: 1170021493.977:293, host=? + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=test2.log + event time: 1170021493.977:293, host=? + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 9 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=test2.log + event time: 1170021601.340:294, host=? + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 10 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=test2.log + event time: 1170021601.342:295, host=? + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 11 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=test2.log + event time: 1170021601.343:296, host=? + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 12 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=test2.log + event time: 1170021601.344:297, host=? + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 13 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=test2.log + event time: 1170021601.364:298, host=? + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 14 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=test2.log + event time: 1170021601.366:299, host=? + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 5 Done + +Starting Test 6, search... +auid = 500 not found...which is correct +auid exists...which is correct +Testing BUFFER_ARRAY, stop on field +Found auid = 848 +Testing BUFFER_ARRAY, stop on record +Found type = SYSCALL +Testing BUFFER_ARRAY, stop on event +Found type = SYSCALL +Testing test.log, stop on field +Found auid = 4294967295 +Testing test.log, stop on record +Found type = SYSCALL +Testing test.log, stop on event +Found type = AVC +Test 6 Done + +Starting Test 7, compound search... +Found type = USER_START +Found auid = 0 +Test 7 Done + +Starting Test 8, regex search... +Doing regex match... +Found type = LOGIN +Doing regex wildcard search... +Found type = USER_LOGIN +Test 8 Done + +Starting Test 9, buffer feed... +event 1 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=1 file=None + event time: 1143146623.787:142, host=? + type=LOGIN (LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=4294967295 (unset) + auid=848 (unknown(848)) + +event 2 has 1 records + record 1 of type 1300(SYSCALL) has 24 fields + line=2 file=None + event time: 1143146623.875:143, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=188 (setxattr) + success=yes (yes) + exit=0 (0) + a0=7fffffa9a9f0 (0x7fffffa9a9f0) + a1=3958d11333 (0x3958d11333) + a2=5131f0 (0x5131f0) + a3=20 (0x20) + items=1 (1) + pid=2027 (2027) + auid=848 (unknown(848)) + uid=0 (root) + gid=0 (root) + euid=0 (root) + suid=0 (root) + fsuid=0 (root) + egid=0 (root) + sgid=0 (root) + fsgid=0 (root) + tty=tty3 (tty3) + comm="login" (login) + exe="/bin/login" (/bin/login) + subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) + +event 3 has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=3 file=None + event time: 1143146623.879:146, host=? + type=USER_LOGIN (USER_LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=848 (unknown(848)) + uid=848 (unknown(848)) + exe="/bin/login" (/bin/login) + hostname=? (?) + addr=? (?) + terminal=tty3 (tty3) + res=success (success) + +Test 9 Done + +Starting Test 10, file feed... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=None + event time: 1170021493.977:293, host=? + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=None + event time: 1170021493.977:293, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=None + event time: 1170021493.977:293, host=? + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=None + event time: 1170021493.977:293, host=? + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=None + event time: 1170021601.340:294, host=? + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=None + event time: 1170021601.342:295, host=? + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=None + event time: 1170021601.343:296, host=? + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=None + event time: 1170021601.344:297, host=? + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=None + event time: 1170021601.364:298, host=? + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=None + event time: 1170021601.366:299, host=? + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 10 Done + +Finished non-admin tests + diff --git a/framework/src/audit/auparse/test/auparse_test.ref.py b/framework/src/audit/auparse/test/auparse_test.ref.py new file mode 100644 index 00000000..d25e0645 --- /dev/null +++ b/framework/src/audit/auparse/test/auparse_test.ref.py @@ -0,0 +1,793 @@ +Starting Test 1, iterate... +auid=4294967295 +interp auid=unset +auid=848 +interp auid=unknown(848) +auid=848 +interp auid=unknown(848) +Test 1 Done + +Starting Test 2, walk events, records, and fields... +event 1 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=1 file=None + event time: 1143146623.787:142, host=(null) + type=LOGIN (LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=4294967295 (unset) + auid=848 (unknown(848)) + +event 2 has 1 records + record 1 of type 1300(SYSCALL) has 24 fields + line=2 file=None + event time: 1143146623.875:143, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=188 (setxattr) + success=yes (yes) + exit=0 (0) + a0=7fffffa9a9f0 (0x7fffffa9a9f0) + a1=3958d11333 (0x3958d11333) + a2=5131f0 (0x5131f0) + a3=20 (0x20) + items=1 (1) + pid=2027 (2027) + auid=848 (unknown(848)) + uid=0 (root) + gid=0 (root) + euid=0 (root) + suid=0 (root) + fsuid=0 (root) + egid=0 (root) + sgid=0 (root) + fsgid=0 (root) + tty=tty3 (tty3) + comm="login" (login) + exe="/bin/login" (/bin/login) + subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) + +event 3 has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=3 file=None + event time: 1143146623.879:146, host=(null) + type=USER_LOGIN (USER_LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=848 (unknown(848)) + uid=848 (unknown(848)) + exe="/bin/login" (/bin/login) + hostname=? (?) + addr=? (?) + terminal=tty3 (tty3) + res=success (success) + +Test 2 Done + +Starting Test 3, walk events, records of 1 buffer... +event has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=1 file=None + event time: 1143146623.879:146, host=(null) + +Test 3 Done + +Starting Test 4, walk events, records of 1 file... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=test.log + event time: 1170021493.977:293, host=(null) + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=test.log + event time: 1170021493.977:293, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test.log + event time: 1170021493.977:293, host=(null) + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=test.log + event time: 1170021493.977:293, host=(null) + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=test.log + event time: 1170021601.340:294, host=(null) + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=test.log + event time: 1170021601.342:295, host=(null) + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=test.log + event time: 1170021601.343:296, host=(null) + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=test.log + event time: 1170021601.344:297, host=(null) + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=test.log + event time: 1170021601.364:298, host=(null) + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=test.log + event time: 1170021601.366:299, host=(null) + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 4 Done + +Starting Test 5, walk events, records of 2 files... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=test.log + event time: 1170021493.977:293, host=(null) + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=test.log + event time: 1170021493.977:293, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test.log + event time: 1170021493.977:293, host=(null) + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=test.log + event time: 1170021493.977:293, host=(null) + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=test.log + event time: 1170021601.340:294, host=(null) + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=test.log + event time: 1170021601.342:295, host=(null) + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=test.log + event time: 1170021601.343:296, host=(null) + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=test.log + event time: 1170021601.344:297, host=(null) + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=test.log + event time: 1170021601.364:298, host=(null) + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=test.log + event time: 1170021601.366:299, host=(null) + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 8 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=test2.log + event time: 1170021493.977:293, host=(null) + type=AVC (AVC) + seresult=denied (denied) + seperms=read (read) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=test2.log + event time: 1170021493.977:293, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test2.log + event time: 1170021493.977:293, host=(null) + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=test2.log + event time: 1170021493.977:293, host=(null) + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 9 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=test2.log + event time: 1170021601.340:294, host=(null) + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 10 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=test2.log + event time: 1170021601.342:295, host=(null) + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 11 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=test2.log + event time: 1170021601.343:296, host=(null) + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 12 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=test2.log + event time: 1170021601.344:297, host=(null) + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 13 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=test2.log + event time: 1170021601.364:298, host=(null) + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 14 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=test2.log + event time: 1170021601.366:299, host=(null) + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 5 Done + +Starting Test 6, search... +auid = 500 not found...which is correct +auid exists...which is correct +Testing BUFFER_ARRAY, stop on field +Found auid = 848 +Testing BUFFER_ARRAY, stop on record +Found type = SYSCALL +Testing BUFFER_ARRAY, stop on event +Found type = SYSCALL +Testing test.log, stop on field +Found auid = 4294967295 +Testing test.log, stop on record +Found type = SYSCALL +Testing test.log, stop on event +Found type = AVC +Test 6 Done + +Starting Test 7, compound search... +Found type = USER_START +Found auid = 0 +Test 7 Done + +Starting Test 8, regex search... +Doing regex match... + +Test 8 Done + +Starting Test 9, buffer feed... +event 1 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=1 file=None + event time: 1143146623.787:142, host=(null) + type=LOGIN (LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=4294967295 (unset) + auid=848 (unknown(848)) + +event 2 has 1 records + record 1 of type 1300(SYSCALL) has 24 fields + line=2 file=None + event time: 1143146623.875:143, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=188 (setxattr) + success=yes (yes) + exit=0 (0) + a0=7fffffa9a9f0 (0x7fffffa9a9f0) + a1=3958d11333 (0x3958d11333) + a2=5131f0 (0x5131f0) + a3=20 (0x20) + items=1 (1) + pid=2027 (2027) + auid=848 (unknown(848)) + uid=0 (root) + gid=0 (root) + euid=0 (root) + suid=0 (root) + fsuid=0 (root) + egid=0 (root) + sgid=0 (root) + fsgid=0 (root) + tty=tty3 (tty3) + comm="login" (login) + exe="/bin/login" (/bin/login) + subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) + +event 3 has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=3 file=None + event time: 1143146623.879:146, host=(null) + type=USER_LOGIN (USER_LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=848 (unknown(848)) + uid=848 (unknown(848)) + exe="/bin/login" (/bin/login) + hostname=? (?) + addr=? (?) + terminal=tty3 (tty3) + res=success (success) + +Test 9 Done + +Starting Test 10, file feed... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=None + event time: 1170021493.977:293, host=(null) + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=None + event time: 1170021493.977:293, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=None + event time: 1170021493.977:293, host=(null) + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=None + event time: 1170021493.977:293, host=(null) + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=None + event time: 1170021601.340:294, host=(null) + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=None + event time: 1170021601.342:295, host=(null) + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=None + event time: 1170021601.343:296, host=(null) + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=None + event time: 1170021601.344:297, host=(null) + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=None + event time: 1170021601.364:298, host=(null) + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=None + event time: 1170021601.366:299, host=(null) + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 10 Done + +Finished non-admin tests + diff --git a/framework/src/audit/auparse/test/test.log b/framework/src/audit/auparse/test/test.log new file mode 100644 index 00000000..e0ffabf5 --- /dev/null +++ b/framework/src/audit/auparse/test/test.log @@ -0,0 +1,10 @@ +type=AVC msg=audit(1170021493.977:293): avc: denied { read write } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir +type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null) +type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix" +type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0 +type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0 +type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' +type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' +type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' diff --git a/framework/src/audit/auparse/test/test2.log b/framework/src/audit/auparse/test/test2.log new file mode 100644 index 00000000..588f1e04 --- /dev/null +++ b/framework/src/audit/auparse/test/test2.log @@ -0,0 +1,10 @@ +type=AVC msg=audit(1170021493.977:293): avc: denied { read } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir +type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null) +type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix" +type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0 +type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0 +type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' +type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' +type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -- cgit 1.2.3-korg