From f02e2c10b5ea239a223e5f31845ee3b305c37e99 Mon Sep 17 00:00:00 2001 From: Brian Cox Date: Sat, 5 Aug 2017 18:05:21 -0700 Subject: [PATCH] Add new test-harness tests to exercise various IC mode options, plus tripwire help & version modes --- src/test-harness/tests/integritycheck.pm | 357 +++++++++++++++++++++++ src/test-harness/tests/tripwire.pm | 124 ++++++++ src/test-harness/twtools.pm | 8 +- 3 files changed, 484 insertions(+), 5 deletions(-) create mode 100644 src/test-harness/tests/integritycheck.pm create mode 100644 src/test-harness/tests/tripwire.pm diff --git a/src/test-harness/tests/integritycheck.pm b/src/test-harness/tests/integritycheck.pm new file mode 100644 index 0000000..01c203f --- /dev/null +++ b/src/test-harness/tests/integritycheck.pm @@ -0,0 +1,357 @@ + +use twtools; + +package integritycheck; + + +###################################################################### +# One time module initialization goes in here... +# +BEGIN +{ + $description = "integrity check test"; + + # This is the root directory we will be integrity checking + # + $root = "$twtools::twcwd/$twtools::twrootdir/ic-test-a"; + $root2 = "$twtools::twcwd/$twtools::twrootdir/ic-test-b"; + + # Here are the names of the report files this test will create + # + $report1 = "$twtools::twcwd/$twtools::twrootdir/report/ic-1.twr"; + + $report2 = "$twtools::twcwd/$twtools::twrootdir/report/dbupdate-2.twr"; + $report3 = "$twtools::twcwd/$twtools::twrootdir/report/dbupdate-3.twr"; + $report4 = "$twtools::twcwd/$twtools::twrootdir/report/dbupdate-4.twr"; +} + +###################################################################### +# PolicyFileString -- return the policy text as a string +# +sub PolicyFileString +{ + return < \$(ReadOnly)+S; #read only plus SHA-1 + } + + (rulename="RuleB", severity=300) + { + $root2 -> \$(ReadOnly)+S; #read only plus SHA-1 + } + +POLICY_END + +} + +###################################################################### +# CreateFile -- create a file with the specified contents +# +# input: path -- path to the file; relative to $root +# contents -- string to put in the file +# +sub CreateFile +{ + my ($path, $contents) = @_; + + system( "echo $contents > $path" ); + + $? && die "Create file failed for $path\n"; +} + +###################################################################### +# RemoveFile -- removes the named file +# +sub RemoveFile +{ + my ($path) = @_; + + if( -e "$path" ) + { + system( "rm -f $path" ); + } + + $? && die "Remove file failed for $root/$path\n"; +} + + +###################################################################### +# CreateDir -- create a directory +# +sub CreateDir +{ + my($dir) = @_; + + # NOTE: mkdir fails if it is already a directory! + # + if( ! -d "$dir" ) + { + system( "rm -f $dir" ); + system( "mkdir -p $dir" ); + + $? && die "Mkdir failed for $root/$dir\n"; + } +} + +###################################################################### +# MoveFile -- move a file from one place to another +# NOTE: file names are relative to $root +# +# input: old_name -- name of file to move +# new_name -- where it should be moved to +# +sub MoveFile +{ + my($old, $new) = @_; + + system( "mv $old $new" ); + $? && die "mv $old $new failed!\n"; +} + +###################################################################### +# PrintDatabase +# +sub PrintDatabase +{ + system( "$twtools::twrootdir/bin/twprint -m d -c $twtools::twrootdir/tw.cfg" ); +} + +###################################################################### +# PrintReport +# +sub PrintReport +{ + my ($report) = @_; + system( "$twtools::twrootdir/bin/twprint -m r -c $twtools::twrootdir/tw.cfg -r $report" ); +} + +###################################################################### +# PrepareForTest -- creates the files that each test will be +# integrity checking and initializes the database. +# +sub PrepareForTest +{ + # make sure we are cleaned up... + # + cleanup(); + + # Make the files we will be using... + # + CreateDir ( "$root"); + CreateDir ( "$root/subdir" ); + CreateFile( "$root/subdir/modify.txt", "hello world" ); + CreateFile( "$root/copy-src.txt", "asdf" ); + + CreateDir ( "$root2"); + CreateFile( "$root2/deleteme.txt", "goodbye cruel world" ); + + # Initialize the database + # + twtools::InitializeDatabase(); +} + + +###################################################################### +# +# Run the test. +# +sub run +{ + my $twpassed = 1; + + twtools::logStatus("*** Beginning integrity check test\n"); + printf("%-30s", "-- $description"); + + PrepareForTest(); + + # make some violations... + # + MoveFile ( "$root/copy-src.txt", "$root/copy-dest.txt" ); + CreateFile( "$root/subdir/modify.txt", "bark bark bark" ); + RemoveFile( "$root2/deleteme.txt"); + + ####################################################### + # First run a full IC + # + twtools::RunIntegrityCheck(); + + # Make sure we got 6 violations: 3 mod, 1 add, 2 rm. + # + my ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() ); + + if( ($n != 6) || ($a != 1) || ($r != 2) || ($c != 3) ) + { + twtools::logStatus("Full IC failed: $n $a $r $c\n"); + $twpassed = 0; + } + + # TODO: Make RunReport+AnalyzeReport play nice with signed report files + ####################################################### + # Do it again, but sign it this time. + # + #twtools::RunIntegrityCheck({trailing-opts => "-E -P $twtools::twlocalpass"}); + + # Make sure we got 6 violations: 3 mod, 1 add, 2 rm. + # + #my ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() ); + + #if( ($n != 6) || ($a != 1) || ($r != 2) || ($c != 3) ) + #{ + # twtools::logStatus("Full IC with signing failed: $n $a $r $c\n"); + # $twpassed = 0; + #} + + ####################################################### + # Now run 'just' the FS section, aka the whole policy + # + twtools::RunIntegrityCheck(trailing-opts => "-x FS"); + + # Make sure we got 6 violations: 3 mod, 1 add, 2 rm. + # + my ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() ); + + if( ($n != 6) || ($a != 1) || ($r != 2) || ($c != 3) ) + { + twtools::logStatus("IC with FS section failed: $n $a $r $c\n"); + $twpassed = 0; + } + + ####################################################### + # Now just run RuleA + # + twtools::RunIntegrityCheck({trailing-opts => "-R RuleA"}); + + # Make sure we got 4 violations this time: 2 mod, 1 add, 1 rm. + # + my ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() ); + + if( ($n != 4) || ($a != 1) || ($r != 1) || ($c != 2) ) + { + twtools::logStatus("IC of Rule A failed: $n $a $r $c\n"); + $twpassed = 0; + } + + ####################################################### + # Now run severity level 300, meaning RuleB + # + twtools::RunIntegrityCheck({trailing-opts => "-l 300"}); + + # Make sure we got 2 violations this time: 1 mod, 0 add, 1 rm. + # + my ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() ); + + if( ($n != 2) || ($a != 0) || ($r != 1) || ($c != 1) ) + { + twtools::logStatus("IC of severity 300+ failed: $n $a $r $c\n"); + $twpassed = 0; + } + + ####################################################### + # Now run against one object, modify.txt + # + twtools::RunIntegrityCheck({trailing-opts => "$root/subdir/modify.txt"}); + + # Make sure we got 1 violation this time: 1 mod, 0 add, 0 rm. + # + my ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() ); + + if( ($n != 1) || ($a != 0) || ($r != 0) || ($c != 1) ) + { + twtools::logStatus("IC of single object modify.txt failed: $n $a $r $c\n"); + $twpassed = 0; + } + + + ####################################################### + # Now run an interactive IC with cat as a fake editor, so DB gets auto updated. + # + twtools::RunIntegrityCheck({trailing-opts => "-I -V cat -P $twtools::twlocalpass"}); + + # Make sure we got 1 violation this time: 1 mod, 0 add, 0 rm. + # + my ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() ); + + if( ($n != 6) || ($a != 1) || ($r != 2) || ($c != 3) ) + { + twtools::logStatus("Interactive IC failed: $n $a $r $c\n"); + $twpassed = 0; + } + + ####################################################### + # Finally run another full IC to verify db was updated + # + also exercise the verbose & hex output options since we don't elsewhere. + # + twtools::RunIntegrityCheck({trailing-opts => "-v -h"}); + + # Make sure we got no violations this time + # + my ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() ); + + if( ($n != 0) || ($a != 0) || ($r != 0) || ($c != 0) ) + { + twtools::logStatus("IC after interactive IC failed: $n $a $r $c\n"); + $twpassed = 0; + } + + ######################################################### + # + # See if the tests all succeeded... + # + if ($twpassed) { + ++$twtools::twpassedtests; + print "PASSED\n"; + return 1; + } + else { + ++$twtools::twfailedtests; + print "*FAILED*\n"; + return 0; + } +} + + + +###################################################################### +# +# Initialize the test +# + +sub initialize +{ + # Make the policy file + # + twtools::GeneratePolicyFile( PolicyFileString() ); + return 1; +} + + +sub cleanup +{ + # remove all of the files we were integrity checking... + # + system( "rm -rf $root/*" ); + system( "rm -rf $root2/*" ); + $? && print "WARNING: IC cleanup failed.\n"; + + # remove the report files we created... + # + system( "rm -f $report1" ) if (-e $report1); + system( "rm -r $report2" ) if (-e $report2); + system( "rm -r $report3" ) if (-e $report3); + system( "rm -r $report4" ) if (-e $report4); + +} + + +###################################################################### +# One time module cleanup goes in here... +# +END +{ +} + +1; + diff --git a/src/test-harness/tests/tripwire.pm b/src/test-harness/tests/tripwire.pm new file mode 100644 index 0000000..af7810c --- /dev/null +++ b/src/test-harness/tests/tripwire.pm @@ -0,0 +1,124 @@ + +use twtools; + +package tripwire; + +###################################################################### +# One time module initialization goes in here... +# +BEGIN { + $description = "tripwire options test"; +} + +###################################################################### +# +# Initialize, get ready to run this test... +# +sub initialize() { + +} + + +###################################################################### +# +# Run the test. +# +sub run() { + + my $twpassed = 1; + + twtools::logStatus("*** Beginning $description\n"); + printf("%-30s", "-- $description"); + + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire`); + if ( $? != 2048 ) { + twtools::logStatus("no-args tripwire failed, error = $?\n"); + $twpassed = 0; + } + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire --version`); + if ( $? != 0 ) { + twtools::logStatus("tripwire --version failed\n"); + $twpassed = 0; + } + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire --help`); + if ( $? != 2048 ) { + twtools::logStatus("tripwire --help failed\n"); + $twpassed = 0; + } + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire --help all`); + if ( $? != 2048 ) { + twtools::logStatus("tripwire --help all failed\n"); + $twpassed = 0; + } + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire --help i c`); + if ( $? != 2048 ) { + twtools::logStatus("tripwire --help i c failed\n"); + $twpassed = 0; + } + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire --asdf 2>&1`); + if ( $? != 2048 ) { + twtools::logStatus("tripwire --asdf failed\n"); + $twpassed = 0; + } + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire --asdf --help 2>&1`); + if ( $? != 2048 ) { + twtools::logStatus("tripwire --asdf --help\n"); + $twpassed = 0; + } + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire -m 2>&1`); + if ( $? != 2048 ) { + twtools::logStatus("tripwire -m\n"); + $twpassed = 0; + } + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire -m Z 2>&1`); + if ( $? != 2048 ) { + twtools::logStatus("tripwire -m Z failed\n"); + $twpassed = 0; + } + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire -m -m 2>&1`); + if ( $? != 2048 ) { + twtools::logStatus("tripwire -m -m failed\n"); + $twpassed = 0; + } + + twtools::logStatus(`$twtools::twrootdir/bin/tripwire -m i -c nope.cfg 2>&1`); + if ( $? != 2048 ) { + twtools::logStatus("tripwire -m -i -c nope.cfg\n"); + $twpassed = 0; + } + + ######################################################### + # + # See if the tests all succeeded... + # + if ($twpassed) { + ++$twtools::twpassedtests; + print "PASSED\n"; + return 1; + } + else { + ++$twtools::twfailedtests; + print "*FAILED*\n"; + return 0; + } +} + + + +###################################################################### +# One time module cleanup goes in here... +# +END { +} + +1; diff --git a/src/test-harness/twtools.pm b/src/test-harness/twtools.pm index 745bd65..0ce7a90 100644 --- a/src/test-harness/twtools.pm +++ b/src/test-harness/twtools.pm @@ -333,9 +333,9 @@ sub RunReport { $params{report} = $reportloc if( ! defined($params{report}) ); $params{report-level} = 0 if( ! defined($params{report-level}) ); - #$params{report-object-list} = "" if( ! defined($params{report-object-list}) ); my (@out) = `$twrootdir/bin/twprint -m r -c $twrootdir/$twcfgloc -t $params{report-level} -r $params{report} 2>&1`; + logStatus(@out); return @out; @@ -380,9 +380,10 @@ sub RunIntegrityCheck { my (%params) = %{$_[0]}; $params{report} = $reportloc if( ! defined($params{report}) ); + $params{trailing-opts} = "" if( ! defined($params{trailing-opts}) ); print("running integrity check for test '$twmsg'...\n") if $verbose; - logStatus(`$twrootdir/bin/tripwire -m c -r $params{report} -p $twrootdir/$twpolfileloc -c $twrootdir/$twcfgloc 2>&1`); + logStatus(`$twrootdir/bin/tripwire -m c -r $params{report} -p $twrootdir/$twpolfileloc -c $twrootdir/$twcfgloc $params{trailing-opts} 2>&1`); return ($? & 8); } @@ -400,14 +401,11 @@ sub AnalyzeReport { # my (undef, $twstatus) = @_; -# print "*** $twstatus\n"; - # split the report summary line into it's fields # my (undef, undef, undef, $violations, $severity, $added, $removed, $changed) = split(/ /, $twstatus); - # Split out the count for each type of # violation. #