audit test results on lspp.10 kernel
Linda Knippers
linda.knippers at hp.com
Tue Mar 7 23:59:42 UTC 2006
In our LSPP concall on Monday I said I'd give our audit tests a try
on the latest kernel. I ran our CAPP audit test suite on an ia32
box installed with FC5T2, the lspp.10 kernel, the 1.1.4 audit tools
and the MLS policy in permissive mode. This is what I got:
fchmod, fchown, fchown32 tests failed to run because the test cases
got errors trying to insert a watch.
> /sbin/auditctl -w /tmp/audit_testPZbtbq -k _tmp_audit_testPZbtbq
> Error sending watch insert request (Invalid argument)
Not sure if this is a kernel/user-space compatibility problem or
we just don't have all the new code in yet.
The negative test cases for our msgctl-set and semctl-set
because they didn't see the right audit records. These tests
attempt to remove a message queue or semaphore set with
insufficient permissions. Our tests are looking for an IPC record
whether the syscall fails or succeeds and I only got one on the success
case.
Our tests for successful mounts and symlinks failed but I believe its
because I got AVC denied messages and that goofed up the way the tests
look for the right fields in the audit records.
The *xattr tests failed to build so I haven't run those yet.
I'll look at the *xattr tests next and also try to set up an x86_64 box.
All in all though, not too bad.
-- ljk
More information about the Linux-audit
mailing list