2 * Copyright 2018 Aniket Pandey
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 #include <sys/ioctl.h>
30 #include <bsm/libbsm.h>
31 #include <security/audit/audit_ioctl.h>
44 * Checks the presence of "auditregex" in auditpipe(4) after the
45 * corresponding system call has been triggered.
48 get_records(const char *auditregex, FILE *pipestream)
55 int reclen, bytes = 0;
59 * Open a stream on 'membuff' (address to memory buffer) for storing
60 * the audit records in the default mode.'reclen' is the length of the
61 * available records from auditpipe which is passed to the functions
62 * au_fetch_tok(3) and au_print_flags_tok(3) for further use.
64 ATF_REQUIRE((memstream = fmemopen(membuff, size, "w")) != NULL);
65 ATF_REQUIRE((reclen = au_read_rec(pipestream, &buff)) != -1);
68 * Iterate through each BSM token, extracting the bits that are
69 * required to start processing the token sequences.
71 while (bytes < reclen) {
72 if (au_fetch_tok(&token, buff + bytes, reclen - bytes) == -1) {
73 perror("au_read_rec");
74 atf_tc_fail("Incomplete Audit Record");
77 /* Print the tokens as they are obtained, in the default form */
78 au_print_flags_tok(memstream, &token, del, AU_OFLAG_NONE);
83 ATF_REQUIRE_EQ(0, fclose(memstream));
84 return (atf_utils_grep_string("%s", membuff, auditregex));
88 * Override the system-wide audit mask settings in /etc/security/audit_control
89 * and set the auditpipe's maximum allowed queue length limit
92 set_preselect_mode(int filedesc, au_mask_t *fmask)
95 int fmode = AUDITPIPE_PRESELECT_MODE_LOCAL;
97 /* Set local preselection mode for auditing */
98 if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_MODE, &fmode) < 0)
99 atf_tc_fail("Preselection mode: %s", strerror(errno));
101 /* Set local preselection flag corresponding to the audit_event */
102 if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_FLAGS, fmask) < 0)
103 atf_tc_fail("Preselection flag: %s", strerror(errno));
105 /* Set local preselection flag for non-attributable audit_events */
106 if (ioctl(filedesc, AUDITPIPE_SET_PRESELECT_NAFLAGS, fmask) < 0)
107 atf_tc_fail("Preselection naflag: %s", strerror(errno));
109 /* Query the maximum possible queue length limit for auditpipe */
110 if (ioctl(filedesc, AUDITPIPE_GET_QLIMIT_MAX, &qlimit_max) < 0)
111 atf_tc_fail("Query max-limit: %s", strerror(errno));
113 /* Set the queue length limit as obtained from previous step */
114 if (ioctl(filedesc, AUDITPIPE_SET_QLIMIT, &qlimit_max) < 0)
115 atf_tc_fail("Set max-qlimit: %s", strerror(errno));
117 /* This removes any outstanding record on the auditpipe */
118 if (ioctl(filedesc, AUDITPIPE_FLUSH) < 0)
119 atf_tc_fail("Auditpipe flush: %s", strerror(errno));
123 * Get the corresponding audit_mask for class-name "name" then set the
124 * success and failure bits for fmask to be used as the ioctl argument
127 get_audit_mask(const char *name)
130 au_class_ent_t *class;
132 ATF_REQUIRE((class = getauclassnam(name)) != NULL);
133 fmask.am_success = class->ac_class;
134 fmask.am_failure = class->ac_class;
139 * Loop until the auditpipe returns something, check if it is what
140 * we want, else repeat the procedure until ppoll(2) times out.
143 check_auditpipe(struct pollfd fd[], const char *auditregex, FILE *pipestream)
145 struct timespec currtime, endtime, timeout;
147 /* Set the expire time for poll(2) while waiting for syscall audit */
148 ATF_REQUIRE_EQ(0, clock_gettime(CLOCK_MONOTONIC, &endtime));
149 endtime.tv_sec += 10;
150 timeout.tv_nsec = endtime.tv_nsec;
153 /* Update the time left for auditpipe to return any event */
154 ATF_REQUIRE_EQ(0, clock_gettime(CLOCK_MONOTONIC, &currtime));
155 timeout.tv_sec = endtime.tv_sec - currtime.tv_sec;
157 switch (ppoll(fd, 1, &timeout, NULL)) {
158 /* ppoll(2) returns, check if it's what we want */
160 if (fd[0].revents & POLLIN) {
161 if (get_records(auditregex, pipestream))
164 atf_tc_fail("Auditpipe returned an "
165 "unknown event %#x", fd[0].revents);
169 /* poll(2) timed out */
171 atf_tc_fail("%s not found in auditpipe within the "
172 "time limit", auditregex);
175 /* poll(2) standard error */
177 atf_tc_fail("Poll: %s", strerror(errno));
181 atf_tc_fail("Poll returned too many file descriptors");
187 * Wrapper functions around static "check_auditpipe"
190 check_audit_startup(struct pollfd fd[], const char *auditrgx, FILE *pipestream){
191 check_auditpipe(fd, auditrgx, pipestream);
195 check_audit(struct pollfd fd[], const char *auditrgx, FILE *pipestream) {
196 check_auditpipe(fd, auditrgx, pipestream);
198 /* Teardown: /dev/auditpipe's instance opened for this test-suite */
199 ATF_REQUIRE_EQ(0, fclose(pipestream));
203 *setup(struct pollfd fd[], const char *name)
205 au_mask_t fmask, nomask;
206 fmask = get_audit_mask(name);
207 nomask = get_audit_mask("no");
210 ATF_REQUIRE((fd[0].fd = open("/dev/auditpipe", O_RDONLY)) != -1);
211 ATF_REQUIRE((pipestream = fdopen(fd[0].fd, "r")) != NULL);
212 fd[0].events = POLLIN;
214 /* Set local preselection audit_class as "no" for audit startup */
215 set_preselect_mode(fd[0].fd, &nomask);
216 ATF_REQUIRE_EQ(0, system("service auditd onestatus || \
217 { service auditd onestart && touch started_auditd ; }"));
219 /* If 'started_auditd' exists, that means we started auditd(8) */
220 if (atf_utils_file_exists("started_auditd"))
221 check_audit_startup(fd, "audit startup", pipestream);
223 /* Set local preselection parameters specific to "name" audit_class */
224 set_preselect_mode(fd[0].fd, &fmask);
231 if (atf_utils_file_exists("started_auditd"))
232 system("service auditd onestop > /dev/null 2>&1");