runtime qa: moderize ima test

Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2019-05-18 08:39:25 -0700
committer: Armin Kuster <akuster808@gmail.com> 2019-05-26 21:58:11 -0700
commit: 0acb5d2c7dcacc63f10ca71044b4d80e82d90684 (patch)
tree: 6c98fc593b5baf0cdff05ee5492b778453cf802c
parent: f5e9ba656e2350cbc5b373df307af2d460f1f6f0 (diff)
download: meta-security-0acb5d2c7dcacc63f10ca71044b4d80e82d90684.tar.gz
3 files changed, 129 insertions, 82 deletions
diff --git a/meta-integrity/lib/oeqa/runtime/__init__.py b/meta-integrity/lib/oeqa/runtime/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/meta-integrity/lib/oeqa/runtime/__init__.py
+++ /dev/null
diff --git a/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-integrity/lib/oeqa/runtime/cases/ima.py
new file mode 100644
index 0000000..0c8617a
--- /dev/null
+++ b/meta-integrity/lib/oeqa/runtime/cases/ima.py
@@ -0,0 +1,129 @@
+#!/usr/bin/env python
+#
+# Authors:  Cristina Moraru <cristina.moraru@intel.com>
+#           Alexandru Cornea <alexandru.cornea@intel.com>
+import string
+from time import sleep
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+from oeqa.core.decorator.data import skipIfDataVar, skipIfNotDataVar
+import bb
+blacklist = ["/usr/bin/uz", "/bin/su.shadow"]
+class IMACheck(OERuntimeTestCase):
+    @classmethod
+    def setUpClass(cls):
+        locations = ["/bin", "/usr/bin"]
+        cls.binaries = []
+        for l in locations:
+            status, output = cls.tc.target.run("find %s -type f" % l)
+            cls.binaries.extend(output.split("\n"))
+        cls.total = len(cls.binaries)
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_ima_enabled(self):
+        ''' Test if IMA policy is loaded before systemd starts'''
+        ima_search = "ima: "
+        systemd_search = "systemd .* running"
+        status, output = self.target.run("dmesg | grep -n '%s'" % ima_search)
+        self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search)
+    @skipIfNotFeature('systemd',
+                      'Test requires systemd to be in DISTRO_FEATURES')
+    @skipIfNotDataVar('VIRTUAL-RUNTIME_init_manager', 'systemd',
+                      'systemd is not the init manager for this image')
+    @OETestDepends(['ima.IMACheck.test_ima_enabled'])
+    def test_ima_before_systemd(self):
+        ''' Test if IMA policy is loaded before systemd starts'''
+        ima_search = "ima: "
+        systemd_search = "systemd .* running"
+        status, output = self.target.run("dmesg | grep -n '%s'" % ima_search)
+        self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search)
+        ima_id = int(output.split(":")[0])
+        status, output = self.target.run("dmesg | grep -n '%s'" % systemd_search)
+        self.assertEqual(status, 0, "Did not find '%s' in dmesg" % systemd_search)
+        init_id = int(output.split(":")[0])
+        if ima_id > init_id:
+            self.fail("IMA does not start before systemd")
+    @OETestDepends(['ima.IMACheck.test_ima_enabled'])
+    def test_ima_hash(self):
+        ''' Test if IMA stores correct file hash '''
+        filename = "/etc/filetest"
+        ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements"
+        status, output = self.target.run("echo test > %s" % filename)
+        self.assertEqual(status, 0, "Cannot create file %s on target" % filename)
+        # wait for the IMA system to update the entry
+        maximum_tries = 30
+        tries = 0
+        status, output = self.target.run("sha1sum %s" %filename)
+        sleep(2)
+        current_hash = output.split()[0]
+        ima_hash = ""
+        while tries < maximum_tries:
+            status, output = self.target.run("cat %s | grep %s" \
+                % (ima_measure_file, filename))
+            # get last entry, 4th field
+            if status == 0:
+                tokens = output.split("\n")[-1].split()[3]
+                ima_hash = tokens.split(":")[1]
+                if ima_hash == current_hash:
+                    break
+            tries += 1
+            sleep(1)
+        # clean target
+        self.target.run("rm %s" % filename)
+        if ima_hash != current_hash:
+            self.fail("Hash stored by IMA does not match actual hash")
+    @OETestDepends(['ima.IMACheck.test_ima_enabled'])
+    def test_ima_signature(self):
+        ''' Test if IMA stores correct signature for system binaries'''
+        passed = 0
+        failed = 0
+        for b in self.binaries:
+            if b in blacklist:
+                continue
+            status, output = self.target.run("evmctl ima_verify %s" % b)
+            if status != 0:
+                failed += 1
+            else:
+                passed += 1
+        if failed == self.total:
+             self.fail("Signature verifications failed (%s)" % self.total)
+        #bb.warn("pass: %s, fail: %s, Total: %s" % (passed, failed, total))
+    @OETestDepends(['ima.IMACheck.test_ima_enabled'])
+    def test_ima_overwrite(self):
+        ''' Test if IMA prevents overwriting signed files '''
+        passed = 0
+        failed = 0
+        for b in self.binaries:
+            if b in blacklist:
+                continue
+            self.target.run("echo 'foo' >> %s" % b )
+            status, output = self.target.run("evmctl ima_verify %s" % b)
+            if status != 0:
+                failed += 1
+            else:
+                passed += 1
+        if failed == self.total:
+             self.fail("Overwritting verifications failed (%s)" % self.total)
diff --git a/meta-integrity/lib/oeqa/runtime/ima.py b/meta-integrity/lib/oeqa/runtime/ima.py
deleted file mode 100644
index 2e5b258..0000000
--- a/meta-integrity/lib/oeqa/runtime/ima.py
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/usr/bin/env python
-#
-# Authors:  Cristina Moraru <cristina.moraru@intel.com>
-#           Alexandru Cornea <alexandru.cornea@intel.com>
-import unittest
-import string
-from time import sleep
-from oeqa.oetest import oeRuntimeTest, skipModule
-from oeqa.utils.decorators import *
-@tag(TestType = 'FVT', FeatureID = 'IOTOS-617,IOTOS-619')
-class IMACheck(oeRuntimeTest):
-    def test_ima_before_systemd(self):
-        ''' Test if IMA policy is loaded before systemd starts'''
-        ima_search = "IMA: policy update completed"
-        systemd_search = "systemd .* running"
-        status, output = self.target.run("dmesg | grep -n '%s'" %ima_search)
-        self.assertEqual( status, 0, "Did not find '%s' in dmesg" %ima_search)
-        ima_id = int(output.split(":")[0])
-        status, output = self.target.run("dmesg | grep -n '%s'" %systemd_search)
-        self.assertEqual(status, 0, "Did not find '%s' in dmesg" %systemd_search)
-        init_id = int(output.split(":")[0])
-        if ima_id > init_id:
-            self.fail("IMA does not start before systemd")
-    def test_ima_hash(self):
-        ''' Test if IMA stores correct file hash '''
-        filename = "/etc/filetest"
-        ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements"
-        status, output = self.target.run("echo test > %s" %filename)
-        self.assertEqual(status, 0, "Cannot create file %s on target" %filename)
-        # wait for the IMA system to update the entry
-        maximum_tries = 30
-        tries = 0
-        status, output = self.target.run("sha1sum %s" %filename)
-        current_hash = output.split()[0]
-        ima_hash = ""
-        while tries < maximum_tries:
-            status, output = self.target.run("cat %s | grep %s" \
-                                            %(ima_measure_file, filename))
-            # get last entry, 4th field
-            if status == 0:
-                tokens = output.split("\n")[-1].split()[3]
-                ima_hash = tokens.split(":")[1]
-                if ima_hash == current_hash:
-                    break
-            tries += 1
-            sleep(1)
-        # clean target
-        self.target.run("rm %s" %filename)
-        if ima_hash != current_hash:
-            self.fail("Hash stored by IMA does not match actual hash")
-    def test_ima_signature(self):
-        ''' Test if IMA stores correct signature for system binaries'''
-        locations = ["/bin", "/usr/bin"]
-        binaries = []
-        for l in locations:
-            status, output = self.target.run("find %s -type f" %l)
-            binaries.extend(output.split("\n"))
-        for b in binaries:
-            status, output = self.target.run("evmctl ima_verify %s" %b)
-            if "Verification is OK" not in output:
-                self.fail("IMA signature verification fails for file %s" %b)
-    def test_ima_overwrite(self):
-        ''' Test if IMA prevents overwriting signed files '''
-        status, output = self.target.run("find /bin -type f")
-        self.assertEqual(status, 0 , "ssh to device fail: %s" %output)  
-        signed_file = output.strip().split()[0]
-        print("\n signed_file is %s" % signed_file)
-        status, output = self.target.run(" echo 'foo' >> %s" %signed_file)
-        self.assertNotEqual(status, 0 , "Signed file could be written")
-        self.assertIn("Permission denied", output,
-                      "Did not find expected error message. Got: %s" %output)
author	Armin Kuster <akuster808@gmail.com>	2019-05-18 08:39:25 -0700
committer	Armin Kuster <akuster808@gmail.com>	2019-05-26 21:58:11 -0700
commit	0acb5d2c7dcacc63f10ca71044b4d80e82d90684 (patch)
tree	6c98fc593b5baf0cdff05ee5492b778453cf802c
parent	f5e9ba656e2350cbc5b373df307af2d460f1f6f0 (diff)
download	meta-security-0acb5d2c7dcacc63f10ca71044b4d80e82d90684.tar.gz

diff --git a/meta-integrity/lib/oeqa/runtime/__init__.py b/meta-integrity/lib/oeqa/runtime/__init__.py deleted file mode 100644 index e69de29..0000000 --- a/meta-integrity/lib/oeqa/runtime/__init__.py +++ /dev/null


diff --git a/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-integrity/lib/oeqa/runtime/cases/ima.py new file mode 100644 index 0000000..0c8617a --- /dev/null +++ b/meta-integrity/lib/oeqa/runtime/cases/ima.py
@@ -0,0 +1,129 @@
		1	#!/usr/bin/env python
		2	#
		3	# Authors: Cristina Moraru <cristina.moraru@intel.com>
		4	# Alexandru Cornea <alexandru.cornea@intel.com>
		5
		6	import string
		7	from time import sleep
		8	from oeqa.runtime.case import OERuntimeTestCase
		9	from oeqa.core.decorator.depends import OETestDepends
		10	from oeqa.runtime.decorator.package import OEHasPackage
		11	from oeqa.core.decorator.data import skipIfNotFeature
		12	from oeqa.core.decorator.data import skipIfDataVar, skipIfNotDataVar
		13	import bb
		14	blacklist = ["/usr/bin/uz", "/bin/su.shadow"]
		15
		16	class IMACheck(OERuntimeTestCase):
		17
		18	@classmethod
		19	def setUpClass(cls):
		20	locations = ["/bin", "/usr/bin"]
		21	cls.binaries = []
		22	for l in locations:
		23	status, output = cls.tc.target.run("find %s -type f" % l)
		24	cls.binaries.extend(output.split("\n"))
		25
		26	cls.total = len(cls.binaries)
		27
		28
		29	@OETestDepends(['ssh.SSHTest.test_ssh'])
		30	def test_ima_enabled(self):
		31	''' Test if IMA policy is loaded before systemd starts'''
		32
		33	ima_search = "ima: "
		34	systemd_search = "systemd .* running"
		35	status, output = self.target.run("dmesg \| grep -n '%s'" % ima_search)
		36	self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search)
		37
		38
		39	@skipIfNotFeature('systemd',
		40	'Test requires systemd to be in DISTRO_FEATURES')
		41	@skipIfNotDataVar('VIRTUAL-RUNTIME_init_manager', 'systemd',
		42	'systemd is not the init manager for this image')
		43	@OETestDepends(['ima.IMACheck.test_ima_enabled'])
		44	def test_ima_before_systemd(self):
		45	''' Test if IMA policy is loaded before systemd starts'''
		46	ima_search = "ima: "
		47	systemd_search = "systemd .* running"
		48	status, output = self.target.run("dmesg \| grep -n '%s'" % ima_search)
		49	self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search)
		50	ima_id = int(output.split(":")[0])
		51	status, output = self.target.run("dmesg \| grep -n '%s'" % systemd_search)
		52	self.assertEqual(status, 0, "Did not find '%s' in dmesg" % systemd_search)
		53	init_id = int(output.split(":")[0])
		54	if ima_id > init_id:
		55	self.fail("IMA does not start before systemd")
		56
		57
		58	@OETestDepends(['ima.IMACheck.test_ima_enabled'])
		59	def test_ima_hash(self):
		60	''' Test if IMA stores correct file hash '''
		61	filename = "/etc/filetest"
		62	ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements"
		63	status, output = self.target.run("echo test > %s" % filename)
		64	self.assertEqual(status, 0, "Cannot create file %s on target" % filename)
		65
		66	# wait for the IMA system to update the entry
		67	maximum_tries = 30
		68	tries = 0
		69	status, output = self.target.run("sha1sum %s" %filename)
		70	sleep(2)
		71	current_hash = output.split()[0]
		72	ima_hash = ""
		73
		74	while tries < maximum_tries:
		75	status, output = self.target.run("cat %s \| grep %s" \
		76	% (ima_measure_file, filename))
		77	# get last entry, 4th field
		78	if status == 0:
		79	tokens = output.split("\n")[-1].split()[3]
		80	ima_hash = tokens.split(":")[1]
		81	if ima_hash == current_hash:
		82	break
		83
		84	tries += 1
		85	sleep(1)
		86
		87	# clean target
		88	self.target.run("rm %s" % filename)
		89	if ima_hash != current_hash:
		90	self.fail("Hash stored by IMA does not match actual hash")
		91
		92
		93	@OETestDepends(['ima.IMACheck.test_ima_enabled'])
		94	def test_ima_signature(self):
		95	''' Test if IMA stores correct signature for system binaries'''
		96	passed = 0
		97	failed = 0
		98	for b in self.binaries:
		99	if b in blacklist:
		100	continue
		101	status, output = self.target.run("evmctl ima_verify %s" % b)
		102	if status != 0:
		103	failed += 1
		104	else:
		105	passed += 1
		106
		107	if failed == self.total:
		108	self.fail("Signature verifications failed (%s)" % self.total)
		109
		110	#bb.warn("pass: %s, fail: %s, Total: %s" % (passed, failed, total))
		111
		112	@OETestDepends(['ima.IMACheck.test_ima_enabled'])
		113	def test_ima_overwrite(self):
		114	''' Test if IMA prevents overwriting signed files '''
		115	passed = 0
		116	failed = 0
		117	for b in self.binaries:
		118	if b in blacklist:
		119	continue
		120	self.target.run("echo 'foo' >> %s" % b )
		121	status, output = self.target.run("evmctl ima_verify %s" % b)
		122
		123	if status != 0:
		124	failed += 1
		125	else:
		126	passed += 1
		127
		128	if failed == self.total:
		129	self.fail("Overwritting verifications failed (%s)" % self.total)


diff --git a/meta-integrity/lib/oeqa/runtime/ima.py b/meta-integrity/lib/oeqa/runtime/ima.py deleted file mode 100644 index 2e5b258..0000000 --- a/meta-integrity/lib/oeqa/runtime/ima.py +++ /dev/null
@@ -1,82 +0,0 @@
1	#!/usr/bin/env python
2	#
3	# Authors: Cristina Moraru <cristina.moraru@intel.com>
4	# Alexandru Cornea <alexandru.cornea@intel.com>
5
6	import unittest
7	import string
8	from time import sleep
9	from oeqa.oetest import oeRuntimeTest, skipModule
10	from oeqa.utils.decorators import *
11
12	@tag(TestType = 'FVT', FeatureID = 'IOTOS-617,IOTOS-619')
13	class IMACheck(oeRuntimeTest):
14	def test_ima_before_systemd(self):
15	''' Test if IMA policy is loaded before systemd starts'''
16
17	ima_search = "IMA: policy update completed"
18	systemd_search = "systemd .* running"
19	status, output = self.target.run("dmesg \| grep -n '%s'" %ima_search)
20	self.assertEqual( status, 0, "Did not find '%s' in dmesg" %ima_search)
21	ima_id = int(output.split(":")[0])
22	status, output = self.target.run("dmesg \| grep -n '%s'" %systemd_search)
23	self.assertEqual(status, 0, "Did not find '%s' in dmesg" %systemd_search)
24	init_id = int(output.split(":")[0])
25	if ima_id > init_id:
26	self.fail("IMA does not start before systemd")
27
28	def test_ima_hash(self):
29	''' Test if IMA stores correct file hash '''
30	filename = "/etc/filetest"
31	ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements"
32	status, output = self.target.run("echo test > %s" %filename)
33	self.assertEqual(status, 0, "Cannot create file %s on target" %filename)
34
35	# wait for the IMA system to update the entry
36	maximum_tries = 30
37	tries = 0
38	status, output = self.target.run("sha1sum %s" %filename)
39	current_hash = output.split()[0]
40	ima_hash = ""
41
42	while tries < maximum_tries:
43	status, output = self.target.run("cat %s \| grep %s" \
44	%(ima_measure_file, filename))
45	# get last entry, 4th field
46	if status == 0:
47	tokens = output.split("\n")[-1].split()[3]
48	ima_hash = tokens.split(":")[1]
49	if ima_hash == current_hash:
50	break
51
52	tries += 1
53	sleep(1)
54
55	# clean target
56	self.target.run("rm %s" %filename)
57	if ima_hash != current_hash:
58	self.fail("Hash stored by IMA does not match actual hash")
59
60	def test_ima_signature(self):
61	''' Test if IMA stores correct signature for system binaries'''
62	locations = ["/bin", "/usr/bin"]
63	binaries = []
64	for l in locations:
65	status, output = self.target.run("find %s -type f" %l)
66	binaries.extend(output.split("\n"))
67
68	for b in binaries:
69	status, output = self.target.run("evmctl ima_verify %s" %b)
70	if "Verification is OK" not in output:
71	self.fail("IMA signature verification fails for file %s" %b)
72
73	def test_ima_overwrite(self):
74	''' Test if IMA prevents overwriting signed files '''
75	status, output = self.target.run("find /bin -type f")
76	self.assertEqual(status, 0 , "ssh to device fail: %s" %output)
77	signed_file = output.strip().split()[0]
78	print("\n signed_file is %s" % signed_file)
79	status, output = self.target.run(" echo 'foo' >> %s" %signed_file)
80	self.assertNotEqual(status, 0 , "Signed file could be written")
81	self.assertIn("Permission denied", output,
82	"Did not find expected error message. Got: %s" %output)