def test_user_aud_check_chroot(ald_init, app):
admpass = ald_init[0]
passfile = ald_init[1]
aud_list = app.user.user_aud_list(passfile)
user_list = app.user.user_list()
user, u_passwd = valid_name_generator(), 'Testpass123'
if user not in user_list:
app.user.user_create(user, admpass, u_passwd)
if user in str(aud_list):
app.user.user_aud_del(user, admpass)
app.user.user_aud_add(user, hex(aud_flags['chroot']),
hex(aud_flags['chroot']), admpass)
else:
app.user.user_aud_add(user, hex(aud_flags['chroot']),
hex(aud_flags['chroot']), admpass)
cap = 'cap_sys_chroot'
app.user.user_ald_cap(user, getfqdn(), passfile)
aud_flag = 'chroot'
app.base.clean_kernel_mlog()
user_uid = app.base.get_user_uid(user)
usession = pexpect.spawnu('login %s' % user, timeout=3)
usession.expect('Пароль:')
usession.sendline(u_passwd)
usession.expect(user + '@' + gethostname())
usession.sendline('/usr/sbin/chroot /')
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list, call=aud_flag, flag='[f]')
assert result
app.base.clean_kernel_mlog()
app.user.user_linux_cap_mod(user, cap, admpass)
usession = pexpect.spawnu('login %s' % user, timeout=3)
usession.expect('Пароль:')
usession.sendline(u_passwd)
usession.expect(user + '@' + gethostname())
usession.sendline('/usr/sbin/chroot /')
usession.expect(user + '@' + gethostname())
usession.sendline('exit')
usession.expect(user + '@' + gethostname())
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list, call=aud_flag, flag='[s]')
assert result
def test_user_aud_check_acl(ald_init, app):
admpass = ald_init[0]
passfile = ald_init[1]
aud_list = app.user.user_aud_list(passfile)
user_list = app.user.user_list()
user, u_passwd = valid_name_generator(), 'Testpass123'
if user not in user_list:
app.user.user_create(user, admpass, u_passwd)
if user in str(aud_list):
app.user.user_aud_del(user, admpass)
app.user.user_aud_add(user, hex(aud_flags['acl']), hex(aud_flags['acl']), admpass)
else:
app.user.user_aud_add(user, hex(aud_flags['acl']), hex(aud_flags['acl']), admpass)
app.user.user_ald_cap(user, getfqdn(), passfile)
aud_dir = '/tmp/dir_for_test'
aud_flag = 'setacl'
try:
os.mkdir(aud_dir, 0o700)
except OSError as mkdir_err:
if mkdir_err.errno == errno.EEXIST:
shutil.rmtree(aud_dir)
os.mkdir(aud_dir, 0o700)
else:
raise
app.base.clean_kernel_mlog()
user_uid = app.base.get_user_uid(user)
usession = pexpect.spawnu('login %s' % user, timeout=3)
usession.expect('Пароль:')
usession.sendline(u_passwd)
usession.expect(user + '@' + gethostname())
usession.sendline('/usr/bin/setfacl -R -m u::rw %s' % aud_dir)
usession.expect(user + '@' + gethostname())
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list, call=aud_flag, obj=aud_dir, flag='[f]')
assert result
app.base.clean_kernel_mlog()
os.chown(aud_dir, user_uid, user_uid)
usession.sendline('/usr/bin/setfacl -R -d -m u::rw %s' % aud_dir)
usession.expect(user + '@' + gethostname())
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list, call=aud_flag, obj=aud_dir, flag='[s]')
assert result
shutil.rmtree(aud_dir)
def test_user_aud_check_net(ald_init, app):
admpass = ald_init[0]
passfile = ald_init[1]
aud_list = app.user.user_aud_list(passfile)
user_list = app.user.user_list()
user, u_passwd = valid_name_generator(), 'Testpass123'
if user not in user_list:
app.user.user_create(user, admpass, u_passwd)
if user in str(aud_list):
app.user.user_aud_del(user, admpass)
app.user.user_aud_add(user, hex(aud_flags['net']),
hex(aud_flags['net']), admpass)
else:
app.user.user_aud_add(user, hex(aud_flags['net']),
hex(aud_flags['net']), admpass)
app.user.user_ald_cap(user, getfqdn(), passfile)
aud_flag = 'connect'
app.base.clean_kernel_mlog()
user_uid = app.base.get_user_uid(user)
usession = pexpect.spawnu('login %s' % user, timeout=3)
usession.expect('Пароль:')
usession.sendline(u_passwd)
usession.expect(user + '@' + gethostname())
usession.sendline('/bin/ping %s -c1' % getfqdn())
usession.expect(user + '@' + gethostname())
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list, call=aud_flag, flag='[s]')
# in case of the 1st fail
if not result:
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
assert result
app.base.clean_kernel_mlog()
os.chmod('/var/run/nscd/socket', 0o600)
usession.sendline('/bin/ping %s -c1' % getfqdn())
usession.expect(user + '@' + gethostname())
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list, call=aud_flag, flag='[f]')
assert result
os.chmod('/var/run/nscd/socket', 0o666)
def test_user_aud_mod(ald_init, app):
admpass = ald_init[0]
passfile = ald_init[1]
subprocess.call('/etc/inid.d/aldd restart', shell=True)
user, passwd = valid_name_generator(), 'Testpass123'
app.user.user_create(user, admpass, passwd)
app.user.user_aud_add(user, '0x1', '0x1', admpass)
for flag in sorted(list(aud_flags.values()))[1:]:
succ = fail = flag
app.user.user_aud_mod(user, hex(succ), hex(fail), admpass)
aud_list = app.user.user_aud_list(passfile)
assert 'user:{0}: {1}:{2}'.format(user, hex(succ),
hex(fail)) in aud_list
def test_user_aud_random(ald_init, app):
admpass = ald_init[0]
passfile = ald_init[1]
aud_list = app.user.user_aud_list(passfile)
user, passwd = valid_name_generator(), 'Testpass123'
app.user.user_create(user, admpass, passwd)
if user in str(aud_list):
app.user.user_aud_del(user, admpass)
count_succ = random.choice(range(1, 18))
count_fail = random.choice(range(1, 18))
succ = random.choice(list(aud_flags.values()))
fail = random.choice(list(aud_flags.values()))
while count_succ != 0:
succ += random.choice(list(aud_flags.values()))
count_succ -= 1
while count_fail != 0:
succ += random.choice(list(aud_flags.values()))
count_fail -= 1
app.user.user_aud_add(user, hex(succ), hex(fail), admpass)
aud_list = app.user.user_aud_list(passfile)
aud_list = [flag.lower() for flag in aud_list]
assert 'user:{0}: {1}:{2}'.format(user, hex(succ), hex(fail)) in aud_list
def test_user_aud_check_exec(ald_init, app):
admpass = ald_init[0]
passfile = ald_init[1]
aud_list = app.user.user_aud_list(passfile)
user_list = app.user.user_list()
user, u_passwd = valid_name_generator(), 'Testpass123'
if user not in user_list:
app.user.user_create(user, admpass, u_passwd)
if user in str(aud_list):
app.user.user_aud_del(user, admpass)
app.user.user_aud_add(user, hex(aud_flags['exec']),
hex(aud_flags['exec']), admpass)
else:
app.user.user_aud_add(user, hex(aud_flags['exec']),
hex(aud_flags['exec']), admpass)
app.user.user_ald_cap(user, getfqdn(), passfile)
aud_dir = '/tmp/dir_for_test'
aud_file = aud_dir + '/file_for_test'
aud_flag = 'exec'
app.base.clean_kernel_mlog()
try:
os.mkdir(aud_dir, 0o700)
except OSError as mkdir_err:
if mkdir_err.errno == errno.EEXIST:
shutil.rmtree(aud_dir)
os.mkdir(aud_dir, 0o700)
else:
raise
with open(aud_file, 'w', encoding='utf-8') as audfile:
audfile.write('test')
os.chmod(aud_file, 0o700)
user_uid = app.base.get_user_uid(user)
os.chown(aud_file, user_uid, os.getuid())
os.chown(aud_dir, user_uid, os.getuid())
usession = pexpect.spawnu('login %s' % user, timeout=3)
usession.expect('Пароль:')
usession.sendline(u_passwd)
usession.sendline(aud_file)
time.sleep(2)
kern_list = app.base.kernlog_list(user_uid)
with open('/tmp/kern', 'w') as k:
k.write(str(kern_list))
result = app.user.user_aud_check(kern_list,
obj=aud_file,
call=aud_flag,
flag='[s]')
# in case of the 1st fail
if not result:
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
assert result
app.base.clean_kernel_mlog()
os.chmod(aud_file, 0o600)
usession.sendline(aud_file)
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list,
obj=aud_file,
call=aud_flag,
flag='[f]')
assert result
shutil.rmtree(aud_dir)
def test_user_aud_check_mount(ald_init, app):
admpass = ald_init[0]
passfile = ald_init[1]
aud_list = app.user.user_aud_list(passfile)
user_list = app.user.user_list()
user, u_passwd = valid_name_generator(), 'Testpass123'
if user not in user_list:
app.user.user_create(user, admpass, u_passwd)
if user in str(aud_list):
app.user.user_aud_del(user, admpass)
app.user.user_aud_add(user, hex(aud_flags['mount']),
hex(aud_flags['mount']), admpass)
else:
app.user.user_aud_add(user, hex(aud_flags['mount']),
hex(aud_flags['mount']), admpass)
cap = 'cap_sys_admin'
app.user.user_ald_cap(user, getfqdn(), passfile)
aud_flag = 'mount'
app.base.clean_kernel_mlog()
user_uid = app.base.get_user_uid(user)
usession = pexpect.spawnu('login %s' % user, timeout=3)
usession.expect('Пароль:')
usession.sendline(u_passwd)
usession.expect(user + '@' + gethostname())
usession.sendline('python3')
usession.expect('>>>')
usession.sendline('import ctypes')
usession.expect('>>>')
usession.sendline("libc = ctypes.CDLL('libc.so.6')")
usession.sendline(
"libc.mount('/proc'.encode('ascii'), '/mnt'.encode('ascii'), 'proc'.encode('ascii'), 4096)"
)
usession.expect('>>>')
usession.sendline('exit()')
usession.expect(user + '@' + gethostname())
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list,
obj=None,
call=aud_flag,
flag='[f]')
assert result
app.user.user_linux_cap_mod(user, cap, admpass)
usession = pexpect.spawnu('login %s' % user, timeout=3)
usession.expect('Пароль:')
usession.sendline(u_passwd)
usession.expect(user + '@' + gethostname())
usession.sendline('python3')
usession.expect('>>>')
usession.sendline('import ctypes')
usession.expect('>>>')
usession.sendline("libc = ctypes.CDLL('libc.so.6')")
usession.sendline(
"libc.mount('/proc'.encode('ascii'), '/mnt'.encode('ascii'), 'proc'.encode('ascii'), 4096)"
)
usession.sendline('exit()')
usession.expect(user + '@' + gethostname())
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list,
obj=None,
call=aud_flag,
flag='[s]')
assert result
subprocess.call('umount /mnt', shell=True)
def test_user_aud_check_module(ald_init, app):
admpass = ald_init[0]
passfile = ald_init[1]
aud_list = app.user.user_aud_list(passfile)
user_list = app.user.user_list()
user, u_passwd = valid_name_generator(), 'Testpass123'
if user not in user_list:
app.user.user_create(user, admpass, u_passwd)
if user in str(aud_list):
app.user.user_aud_del(user, admpass)
app.user.user_aud_add(user, hex(aud_flags['module']), hex(aud_flags['module']), admpass)
else:
app.user.user_aud_add(user, hex(aud_flags['module']), hex(aud_flags['module']), admpass)
cap = 'cap_sys_module'
app.user.user_ald_cap(user, getfqdn(), passfile)
aud_flag_init = 'init_module'
aud_flag_delete = 'delete_module'
app.base.clean_kernel_mlog()
user_uid = app.base.get_user_uid(user)
usession = pexpect.spawnu('login %s' % user, timeout=3)
usession.expect('Пароль:')
usession.sendline(u_passwd)
usession.expect(user + '@' + gethostname())
usession.sendline('/sbin/modprobe evbug')
usession.expect(user + '@' + gethostname())
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list, call=aud_flag_init, flag='[f]')
# in case of the 1st fail
if not result:
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
assert result
subprocess.call('/sbin/modprobe evbug', shell=True)
usession.sendline('/sbin/modprobe -r evbug')
usession.expect(user + '@' + gethostname())
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list, call=aud_flag_delete, flag='[f]')
assert result
app.user.user_linux_cap_mod(user, cap, admpass)
subprocess.call('/sbin/modprobe -r evbug', shell=True)
usession = pexpect.spawnu('login %s' % user, timeout=3)
usession.expect('Пароль:')
usession.sendline(u_passwd)
usession.expect(user + '@' + gethostname())
usession.sendline('/sbin/modprobe evbug')
usession.expect(user + '@' + gethostname())
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list, call=aud_flag_init, flag='[s]')
# in case of the 1st fail
if not result:
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
assert result
usession.sendline('/sbin/modprobe -r evbug')
usession.expect(user + '@' + gethostname())
usession.sendline('exit')
usession.expect(pexpect.EOF)
usession.close()
assert usession.exitstatus == 0
assert not usession.isalive()
kern_list = app.base.kernlog_list(user_uid)
result = app.user.user_aud_check(kern_list, call=aud_flag_delete, flag='[s]')
assert result
