audit test results on lspp.10 kernel
Klaus Weidner
klaus at atsec.com
Fri Mar 10 03:20:49 UTC 2006
On Tue, Mar 07, 2006 at 06:59:42PM -0500, Linda Knippers wrote:
> In our LSPP concall on Monday I said I'd give our audit tests a try
> on the latest kernel. I ran our CAPP audit test suite on an ia32
> box installed with FC5T2, the lspp.10 kernel, the 1.1.4 audit tools
> and the MLS policy in permissive mode.
Thank you for doing this!
> This is what I got:
>
> fchmod, fchown, fchown32 tests failed to run because the test cases
> got errors trying to insert a watch.
> > /sbin/auditctl -w /tmp/audit_testPZbtbq -k _tmp_audit_testPZbtbq
> > Error sending watch insert request (Invalid argument)
> Not sure if this is a kernel/user-space compatibility problem or
> we just don't have all the new code in yet.
auditctl needs to be modified to match Amy's new string interface.
Amy and Steve, what's your status on getting that matched up and a
working auditctl into rawhide? This is getting kind of urgent...
> The negative test cases for our msgctl-set and semctl-set
> because they didn't see the right audit records. These tests
> attempt to remove a message queue or semaphore set with
> insufficient permissions. Our tests are looking for an IPC record
> whether the syscall fails or succeeds and I only got one on the success
> case.
Dustin and I have been reworking the ipc audit code, we should have an
updated patch ready tomorrow.
> The *xattr tests failed to build so I haven't run those yet.
Missing libattr-devel?
-Klaus
More information about the Linux-audit
mailing list