audit-testsuite icon indicating copy to clipboard operation
audit-testsuite copied to clipboard
verified publisher icon linux-audit

RFE: test for audit container ID functionality

Open rgbriggs opened this issue 7 years ago • 10 comments

Test for kernel audit container id functionality:

  • prohibit unsetting
  • prohibit self-setting
  • prohibit setting again
  • prohibit without CAP_AUDIT_CONTROL
  • verify AUDIT_CONTAINER record
  • verify auditctl containerid filter
  • verify kernel AUDIT_CONTAINERID filter functionality
  • verify AUDIT_CONTAINER_INFO record

See: https://github.com/linux-audit/audit-kernel/issues/32 See: https://github.com/linux-audit/audit-kernel/issues/90 See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-kernel/issues/92 See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

rgbriggs avatar Mar 01 '18 11:03 rgbriggs

Here's an updated test script:

#!/bin/sh

#test self-set, should succeed
echo 123455 > /proc/$$/audit_containerid || echo self-write should have succeeded
ausearch -ts boot |grep " contid=123455" || echo self-write success record should appear

#setup for several tests
sleep 5&
child=$!; sleep 1

#test unset, should fail
echo 18446744073709551615 > /proc/$child/audit_containerid && echo write unset should have failed
ausearch -ts boot |grep " contid=18446744073709551615" || echo write unset failure record should appear

#test first set, should pass
echo 123456 > /proc/$child/audit_containerid || echo write set should have succeeded
ausearch -ts boot |grep " contid=123456" || echo write set record success should appear

#test set again, should fail
echo 123457 > /proc/$child/audit_containerid && echo write set again should have failed
ausearch -ts boot |grep " contid=123457" || echo write set again record failure should appear

#test set child with child, should fail
#FIXME, doesn't spawn child of child
bash -c "sleep 1"&
child2=$!
echo 123458 > /proc/$child2/audit_containerid && echo write set child with child should fail
ausearch -ts boot |grep " contid=123458" || echo write set child with child failure record should appear
echo self:$$ contid:$(cat /proc/$$/audit_containerid)
echo child:$child contid:$(cat /proc/$child/audit_containerid)
echo child2:$child2 contid:$(cat /proc/$child2/audit_containerid)

#test filter on containerid
containerid=123459
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$containerid -F key=$key || echo failed to add containerid filter rule
perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" &
child3=$!
echo $containerid > /proc/$child3/audit_containerid || echo failed to set containerid on file open task
sleep 2
rm -f /tmp/$key
ausearch -i -ts boot -k $key || echo failed to find CONTAINER record
auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$containerid -F key=$key || echo failed to del containerid filter rule

rgbriggs avatar Mar 01 '18 11:03 rgbriggs

Just for the record. We agreed that I will assist Richard with transforming bash test script mentioned above into Perl so that it fits into audit regression test suite.

The-Mule avatar Jul 17 '18 11:07 The-Mule

Great, thanks for letting me know. I went ahead and assigned this task to both of you :)

pcmoore avatar Jul 17 '18 22:07 pcmoore

Test netfilter packet audit container identifier auxiliary records:

#test multiple containers on one netns
# create two child processes
sleep 5 &
child4=$!
containerid1=123451
echo $containerid1 > /proc/$child4/audit_containerid || echo failed to set containerid on child4
sleep 5 &
child5=$!
containerid2=123452
echo $containerid2 > /proc/$child5/audit_containerid || echo failed to set containerid on child5
# set up audit rules in netfilter and send a test packet
iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -I INPUT  -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
sleep 1;
#ping -c 1 127.0.0.1
bash -c "ping -q -c 1 127.0.0.1 >/dev/null 2>&1"
sleep 1;
iptables -D INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -D INPUT  -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
ausearch -i -m NETFILTER_PKT -ts recent|grep mark=0x12345555 || echo failed to find NETFILTER_PKT record
ausearch -i -m NETFILTER_PKT -ts recent|grep contid=|grep $containerid1|grep $containerid2 || echo failed to find CONTAINER record

rgbriggs avatar Jul 31 '18 18:07 rgbriggs

Just out of curiosity, aforementioned test is currently the only way to test container ID, is that correct? Because no container tool / orchestrator [*] supports this yet. I just want to make sure I understand it well - first, we need to have this container-id functionality in kernel. Then each orchestration willing to support container auditing must implement it (ie. create container id associated with container process).

Now suppose I have a Fedora machine with a container and I will trigger audit event from that container. What will happen? Will I see the event on host machine? What happens if my host machine does have container-id support, I will create container-id in /proc/ and trigger event from the container?

I am sorry for such silly questions.

The-Mule avatar Aug 03 '18 14:08 The-Mule

On 2018-08-03 08:01, Ondrej Moris wrote:

Just out of curiosity, aforementioned test is currently the only way to test container ID, is that correct? Because no container tool / orchestrator [*] supports this yet. I just want to make sure I understand it well - first, we need to have this container-id functionality in kernel. Then each orchestration willing to support container auditing must implement it (ie. create container id associated with container process).

Correct.

Now suppose I have a Fedora machine with a container and I will trigger audit event from that container. What will happen? Will I see the event on host machine? What happens if my host machine does have container-id support, I will create container-id in /proc/ and trigger event from the container?

It will appear on the host machine if the host machine has any audit rules that are triggered by that event.

If your host machine had audit container identifier support then each task listed in /proc will have a "audit_containerid" file to which you would write as required a u64 to register that audit container identifier with that task and then have that task trigger an event.

I am sorry for such silly questions.

These are not silly questions. No appology necessary.

rgbriggs avatar Aug 03 '18 16:08 rgbriggs

V1 PR: https://github.com/linux-audit/audit-testsuite/pull/83

rgbriggs avatar Apr 10 '19 21:04 rgbriggs

2019-09-18: forced update of testsuite to accomodate nesting features for v7 kernel and userspace

rgbriggs avatar Sep 19 '19 18:09 rgbriggs

a new pull request to replace the one that got accidentally closed: https://github.com/linux-audit/audit-testsuite/pull/91

rgbriggs avatar Dec 31 '19 19:12 rgbriggs

Forced update of testsuite to accomodate nesting features for v9 kernel and userspace

rgbriggs avatar Jun 27 '20 16:06 rgbriggs