RFE: test for audit container ID functionality
rgbriggs opened this issue · 10 comments
Test for kernel audit container id functionality:
- prohibit unsetting
- prohibit self-setting
- prohibit setting again
- prohibit without CAP_AUDIT_CONTROL
- verify AUDIT_CONTAINER record
- verify auditctl containerid filter
- verify kernel AUDIT_CONTAINERID filter functionality
- verify AUDIT_CONTAINER_INFO record
See: linux-audit/audit-kernel#32
See: linux-audit/audit-kernel#90
See: linux-audit/audit-kernel#91
See: linux-audit/audit-kernel#92
See: linux-audit/audit-userspace#40
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Here's an updated test script:
#!/bin/sh
#test self-set, should succeed
echo 123455 > /proc/$$/audit_containerid || echo self-write should have succeeded
ausearch -ts boot |grep " contid=123455" || echo self-write success record should appear
#setup for several tests
sleep 5&
child=$!; sleep 1
#test unset, should fail
echo 18446744073709551615 > /proc/$child/audit_containerid && echo write unset should have failed
ausearch -ts boot |grep " contid=18446744073709551615" || echo write unset failure record should appear
#test first set, should pass
echo 123456 > /proc/$child/audit_containerid || echo write set should have succeeded
ausearch -ts boot |grep " contid=123456" || echo write set record success should appear
#test set again, should fail
echo 123457 > /proc/$child/audit_containerid && echo write set again should have failed
ausearch -ts boot |grep " contid=123457" || echo write set again record failure should appear
#test set child with child, should fail
#FIXME, doesn't spawn child of child
bash -c "sleep 1"&
child2=$!
echo 123458 > /proc/$child2/audit_containerid && echo write set child with child should fail
ausearch -ts boot |grep " contid=123458" || echo write set child with child failure record should appear
echo self:$$ contid:$(cat /proc/$$/audit_containerid)
echo child:$child contid:$(cat /proc/$child/audit_containerid)
echo child2:$child2 contid:$(cat /proc/$child2/audit_containerid)
#test filter on containerid
containerid=123459
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$containerid -F key=$key || echo failed to add containerid filter rule
perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" &
child3=$!
echo $containerid > /proc/$child3/audit_containerid || echo failed to set containerid on file open task
sleep 2
rm -f /tmp/$key
ausearch -i -ts boot -k $key || echo failed to find CONTAINER record
auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$containerid -F key=$key || echo failed to del containerid filter rule
Just for the record. We agreed that I will assist Richard with transforming bash test script mentioned above into Perl so that it fits into audit regression test suite.
Great, thanks for letting me know. I went ahead and assigned this task to both of you :)
Test netfilter packet audit container identifier auxiliary records:
#test multiple containers on one netns
# create two child processes
sleep 5 &
child4=$!
containerid1=123451
echo $containerid1 > /proc/$child4/audit_containerid || echo failed to set containerid on child4
sleep 5 &
child5=$!
containerid2=123452
echo $containerid2 > /proc/$child5/audit_containerid || echo failed to set containerid on child5
# set up audit rules in netfilter and send a test packet
iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -I INPUT -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
sleep 1;
#ping -c 1 127.0.0.1
bash -c "ping -q -c 1 127.0.0.1 >/dev/null 2>&1"
sleep 1;
iptables -D INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -D INPUT -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
ausearch -i -m NETFILTER_PKT -ts recent|grep mark=0x12345555 || echo failed to find NETFILTER_PKT record
ausearch -i -m NETFILTER_PKT -ts recent|grep contid=|grep $containerid1|grep $containerid2 || echo failed to find CONTAINER record
Just out of curiosity, aforementioned test is currently the only way to test container ID, is that correct? Because no container tool / orchestrator [*] supports this yet. I just want to make sure I understand it well - first, we need to have this container-id functionality in kernel. Then each orchestration willing to support container auditing must implement it (ie. create container id associated with container process).
Now suppose I have a Fedora machine with a container and I will trigger audit event from that container. What will happen? Will I see the event on host machine? What happens if my host machine does have container-id support, I will create container-id in /proc/ and trigger event from the container?
I am sorry for such silly questions.
2019-09-18:
forced update of testsuite to accomodate nesting features for v7 kernel and userspace
Forced update of testsuite to accomodate nesting features for v9 kernel and userspace