Fix dbupdate secure-mode test, add a case for updating db twice w/ same report, clean up twtools methods a bit more.

This commit is contained in:
Brian Cox 2017-08-23 17:58:12 -07:00
parent 01e25eb493
commit fafa681bce
2 changed files with 140 additions and 114 deletions

View File

@ -143,48 +143,52 @@ sub PrepareForTest
sub RunBasicTest sub RunBasicTest
{ {
twtools::logStatus("*** Beginning dbupdate.basic test\n"); twtools::logStatus("*** Beginning dbupdate.basic test\n");
printf("%-30s", "-- dbupdate.basic test"); printf("%-30s", "-- dbupdate.basic test");
PrepareForTest(); PrepareForTest();
# make some violations... # make some violations...
# #
MoveFile ( "meow.txt", "cat.txt" ); MoveFile ( "meow.txt", "cat.txt" );
CreateFile( "dog/bark.txt", "bark bark bark" ); CreateFile( "dog/bark.txt", "bark bark bark" );
# run the integrity check...
#
twtools::RunIntegrityCheck();
# Make sure we got 4 violations: 2 mod, 1 add, 1 rm. # run the integrity check...
# #
my ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() ); twtools::RunIntegrityCheck();
if( ($n != 4) || ($a != 1) || ($r != 1) || ($c != 2) ) # Make sure we got 4 violations: 2 mod, 1 add, 1 rm.
{ #
twtools::logStatus("FAILED -- initial integrity check had unexpected results\n"); my ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() );
return 0;
}
# do the database update... if( ($n != 4) || ($a != 1) || ($r != 1) || ($c != 2) )
# {
twtools::UpdateDatabase(); twtools::logStatus("FAILED -- initial integrity check had unexpected results\n");
return 0;
}
# do another IC and make sure there are no violations # do the database update...
# #
twtools::RunIntegrityCheck(); if (0 != twtools::UpdateDatabase())
{
twtools::logStatus("FAILED -- db update did not succeed\n");
return 0;
}
($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() ); # do another IC and make sure there are no violations
#
if( $n != 0 ) twtools::RunIntegrityCheck();
{
twtools::logStatus("FAILED -- violations after update\n"); ($n, $a, $r, $c) = twtools::AnalyzeReport( twtools::RunReport() );
return 0;
} if( $n != 0 )
{
++$twtools::twpassedtests; twtools::logStatus("FAILED -- violations after update\n");
print "PASSED\n"; return 0;
return 1; }
++$twtools::twpassedtests;
print "PASSED\n";
return 1;
} }
###################################################################### ######################################################################
@ -192,81 +196,87 @@ sub RunBasicTest
# #
sub RunSecureModeTest sub RunSecureModeTest
{ {
twtools::logStatus("*** Beginning dbupdate.secure-mode test\n"); twtools::logStatus("*** Beginning dbupdate.secure-mode test\n");
printf("%-30s", "-- dbupdate.secure-mode test"); printf("%-30s", "-- dbupdate.secure-mode test");
++$twtools::twskippedtests; PrepareForTest();
print "SKIPPED - this test needs further investigation\n";
return 1;
PrepareForTest(); # make a violation and generate a report
#
CreateFile( "dog/bark.txt", "bark bark bark" );
twtools::RunIntegrityCheck( { report => $report1 } );
# make a violation and generate a report # change the same file in a slightly different way and generate
# # another report
CreateFile( "dog/bark.txt", "bark bark bark" ); #
twtools::RunIntegrityCheck( { report => $report1 } ); CreateFile( "dog/bark.txt", "bark bark bark woof" );
twtools::RunIntegrityCheck( { report => $report2 } );
# change the same file in a slightly different way and generate # Remove a file and generate a third report
# another report #
# RemoveFile( "dog/bark.txt" );
CreateFile( "dog/bark.txt", "bark bark bark woof" ); twtools::RunIntegrityCheck( { report => $report3 } );
twtools::RunIntegrityCheck( { report => $report2 } );
# Remove a file and generate a third report # Add a file and generate the fourth report
# #
RemoveFile( "dog/bark.txt" ); CreateFile( "dog/cow.txt", "moo moo" );
twtools::RunIntegrityCheck( { report => $report3 } ); twtools::RunIntegrityCheck( { report => $report4 } );
# Add a file and generate the fourth report
#
CreateFile( "dog/cow.txt", "moo moo" );
twtools::RunIntegrityCheck( { report => $report4 } );
# Update the database with report 1.
#
twtools::UpdateDatabase( { report => $report1 } );
# Try to update the database with report 2 ... this should fail # Update the database with report 1.
# in secure-mode == high because the "old" values don't match. #
# twtools::UpdateDatabase( { report => $report1 } );
if( twtools::UpdateDatabase(
{ report => $report2, secure-mode => "high" } ) )
{
twtools::logStatus("FAILED ... Secure-mode high didn't catch a bad update\n");
return 0;
}
# do a high severity update with report3 -- this should # Try to update the database with report 1 again ... this should fail
# succeed # in secure-mode == high because the db can't accept same changes again.
# #
if( ! twtools::UpdateDatabase( if( 0 == twtools::UpdateDatabase(
{ report => $report3, secure-mode => "high" } ) ) { report => $report1, secure-mode => "high" } ) )
{ {
twtools::logStatus("FAILED ... Update with report 3 failed\n"); twtools::logStatus("FAILED ... Secure-mode high didn't catch a bad update\n");
return 0; return 0;
} }
# Try 2 again ... now we are trying to update an object that
# doesn't exist in the database at all. This should
# succeed in low but fail in high.
#
if( twtools::UpdateDatabase(
{ report => $report2, secure-mode => "high" } ) )
{
twtools::logStatus("FAILED ... Update with report 2 after 3 succeeded in high mode\n");
return 0;
}
if( ! twtools::UpdateDatabase( # Try to update the database with report 2 ... this should fail
{ report => $report2, secure-mode => "low" } ) ) # in secure-mode == high because the "old" values don't match.
{ #
twtools::logStatus("FAILED ... Update with report 2 after 3 failed in low mode\n"); if( 0 == twtools::UpdateDatabase(
return 0; { report => $report2, secure-mode => "high" } ) )
} {
twtools::logStatus("FAILED ... Secure-mode high didn't catch a bad update\n");
return 0;
}
++$twtools::twpassedtests; # do a high severity update with report3 -- this should
print "PASSED\n"; # succeed
return 1; #
if( 0 != twtools::UpdateDatabase(
{ report => $report3, secure-mode => "high" } ) )
{
twtools::logStatus("FAILED ... Update with report 3 failed\n");
return 0;
}
# Try 2 again ... now we are trying to update an object that
# doesn't exist in the database at all. This should
# succeed in low but fail in high.
#
if( 0 == twtools::UpdateDatabase(
{ report => $report2, secure-mode => "high" } ) )
{
twtools::logStatus("FAILED ... Update with report 2 after 3 succeeded in high mode\n");
return 0;
}
if( 0 != twtools::UpdateDatabase(
{ report => $report2, secure-mode => "low" } ) )
{
twtools::logStatus("FAILED ... Update with report 2 after 3 failed in low mode\n");
return 0;
}
++$twtools::twpassedtests;
print "PASSED\n";
return 1;
} }

View File

@ -273,9 +273,13 @@ sub GeneratePolicyFile {
print "generating policy file...\n" if $verbose; print "generating policy file...\n" if $verbose;
logStatus(`$twrootdir/bin/twadmin -m P -c $twrootdir/$twcfgloc -Q $twsitepass -p $twrootdir/$twpolfileloc $twrootdir/$twpolicyloc 2>&1`); my (@out) = `$twrootdir/bin/twadmin -m P -c $twrootdir/$twcfgloc -Q $twsitepass -p $twrootdir/$twpolfileloc $twrootdir/$twpolicyloc 2>&1`;
return ($? == 0); my ($result) = ${^CHILD_ERROR_NATIVE};
logStatus(@out);
return $result;
} }
@ -291,9 +295,13 @@ sub CreatePolicy {
print "generating policy file...\n" if $verbose; print "generating policy file...\n" if $verbose;
logStatus(`$twrootdir/bin/twadmin -m P -c $twrootdir/$twcfgloc -Q $twsitepass -p $twrootdir/$twpolfileloc $params{policy-text} 2>&1`); my (@out) = `$twrootdir/bin/twadmin -m P -c $twrootdir/$twcfgloc -Q $twsitepass -p $twrootdir/$twpolfileloc $params{policy-text} 2>&1`;
return ($? == 0); my ($result) = ${^CHILD_ERROR_NATIVE};
logStatus(@out);
return $result;
} }
@ -305,9 +313,13 @@ sub InitializeDatabase {
my ($twmsg) = @_; my ($twmsg) = @_;
print "initializing database for '$twmsg' test...\n" if $verbose; print "initializing database for '$twmsg' test...\n" if $verbose;
logStatus(`$twrootdir/bin/tripwire -m i -P $twsitepass -p $twrootdir/$twpolfileloc -c $twrootdir/$twcfgloc 2>&1`); my (@out) = `$twrootdir/bin/tripwire -m i -P $twsitepass -p $twrootdir/$twpolfileloc -c $twrootdir/$twcfgloc 2>&1`;
return ($? == 0); my ($result) = ${^CHILD_ERROR_NATIVE};
logStatus(@out);
return $result;
} }
@ -317,13 +329,17 @@ sub InitializeDatabase {
sub UpdateDatabase { sub UpdateDatabase {
my (%params) = %{$_[0]}; my (%params) = %{$_[0]};
$params{'report'} = $reportloc if( ! defined($params{'report'}) ); $params{report} = $reportloc if( ! defined($params{report}) );
$params{'secure-mode'} = "low" if( ! defined($params{'secure-mode'}) ); $params{secure-mode} = "low" if( ! defined($params{secure-mode}) );
print "updating database for '$twmsg' test...\n" if $verbose; print "updating database for '$twmsg' test...\n" if $verbose;
logStatus(`$twrootdir/bin/tripwire -m u -a -P $twsitepass -Z $params{'secure-mode'} -p $twrootdir/$twpolfileloc -c $twrootdir/$twcfgloc -r $params{'report'} 2>&1`); my (@out) = `$twrootdir/bin/tripwire -m u -a -P $twsitepass -Z $params{secure-mode} -p $twrootdir/$twpolfileloc -c $twrootdir/$twcfgloc -r $params{report} 2>&1`;
return ($? == 0); my ($result) = ${^CHILD_ERROR_NATIVE};
logStatus(@out);
return $result;
} }
###################################################################### ######################################################################
@ -332,10 +348,10 @@ sub UpdateDatabase {
sub UpdatePolicy { sub UpdatePolicy {
my (%params) = %{$_[0]}; my (%params) = %{$_[0]};
$params{'secure-mode'} = "low" if( ! defined($params{'secure-mode'}) ); $params{secure-mode} = "low" if( ! defined($params{secure-mode}) );
print "updating policy for '$twmsg' test...\n" if $verbose; print "updating policy for '$twmsg' test...\n" if $verbose;
logStatus(`$twrootdir/bin/tripwire -m p -P $twsitepass -Q $twlocalpass -Z $params{'secure-mode'} -p $twrootdir/$twpolfileloc -c $twrootdir/$twcfgloc $twrootdir/$twpolicyloc 2>&1`); logStatus(`$twrootdir/bin/tripwire -m p -P $twsitepass -Q $twlocalpass -Z $params{secure-mode} -p $twrootdir/$twpolfileloc -c $twrootdir/$twcfgloc $twrootdir/$twpolicyloc 2>&1`);
return ($? == 0); return ($? == 0);
} }