[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

audit test results on lspp.10 kernel

In our LSPP concall on Monday I said I'd give our audit tests a try
on the latest kernel.  I ran our CAPP audit test suite on an ia32
box installed with FC5T2, the lspp.10 kernel, the 1.1.4 audit tools
and the MLS policy in permissive mode.  This is what I got:

fchmod, fchown, fchown32 tests failed to run because the test cases
got errors trying to insert a watch.
> /sbin/auditctl -w /tmp/audit_testPZbtbq -k _tmp_audit_testPZbtbq
> Error sending watch insert request (Invalid argument)
Not sure if this is a kernel/user-space compatibility problem or
we just don't have all the new code in yet.

The negative test cases for our msgctl-set and semctl-set
because they didn't see the right audit records.  These tests
attempt to remove a message queue or semaphore set with
insufficient permissions. Our tests are looking for an IPC record whether the syscall fails or succeeds and I only got one on the success case.

Our tests for successful mounts and symlinks failed but I believe its
because I got AVC denied messages and that goofed up the way the tests
look for the right fields in the audit records.

The *xattr tests failed to build so I haven't run those yet.

I'll look at the *xattr tests next and also try to set up an x86_64 box. All in all though, not too bad.

-- ljk

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]