diff --git a/testcases/SOP/audadm/02-View-audadm.sh b/testcases/SOP/audadm/02-View-audadm.sh new file mode 100755 index 0000000000000000000000000000000000000000..e66b95cc52a3fcb4f65a72251e38cce6e477d847 --- /dev/null +++ b/testcases/SOP/audadm/02-View-audadm.sh @@ -0,0 +1,199 @@ +#!/usr/bin/env bash + +# ---------------------------------------------------------------------- +# Filename : 02-View-audadm.sh +# Version : 1.0 +# Date : 2020/05/29 +# Author : Lz +# Email : lz843723683@gmail.com +# History : +# Version 1.0, 2020/05/29 +# Function : 测试三权分立 - 审计查阅 +# Out : +# 0 => TPASS +# 1 => TFAIL +# other=> TCONF +# ---------------------------------------------------------------------- + +# 测试主题 +Title_Env_LTFLIB="三权分立(audadm) - 审计查阅" + +HeadFile_Source_LTFLIB="${LIB_SSHAUTO}" + + +## TODO : 个性化,初始化 +# Out : 0=>TPASS +# 1=>TFAIL +# 2=>TCONF +TestInit_LTFLIB(){ + # 显示的行数 + ViewNum_SOPAud=3 + + return ${TPASS} +} + + +## TODO : 清理函数 +# Out : 0=>TPASS +# 1=>TFAIL +# 2=>TCONF +TestClean_LTFLIB(){ + unset ViewNum_SOPAud + return ${TPASS} +} + + +## TODO :可查询到主体为auditadm_u的审计日志 +testcase_1(){ + local cmd="sudo ausearch --input-logs -i -su auditadm_u" + SshAuto_CmdLocalAud_LTFLIB "$cmd | tail -n ${ViewNum_SOPAud}" "no" "no" + SshAuto_CmdLocalAud_LTFLIB "$cmd" "yes" "no" + TestRetParse_LTFLIB "可查询主体为auditadm_u的审计日志(仅显示最后${ViewNum_SOPAud}条)" "False" +} + + +## TODO :可查询到今天的审计日志 +testcase_2(){ + local cmd="sudo ausearch --input-logs -i -ts today" + SshAuto_CmdLocalAud_LTFLIB "$cmd | tail -n ${ViewNum_SOPAud}" "no" "no" + SshAuto_CmdLocalAud_LTFLIB "$cmd" "yes" "no" + TestRetParse_LTFLIB "可查询到今天的审计日志(仅显示最后${ViewNum_SOPAud}条)" "False" +} + + +## TODO :按事件类型查询审计日志 +testcase_3(){ + # 获取事件ID + local evenid="sudo ausearch --input-logs -l | tail -n 1 | awk -F \":\" '{print \$2}' | awk -F \")\" '{print \$1}'" + local cmd="sudo ausearch --input-logs -i -a" + + SshAuto_CmdLocalAud_LTFLIB "$evenid | xargs $cmd" "no" "no" + TestRetParse_LTFLIB "可以按事件类型查询审计日志" "False" +} + + +## TODO :按时间段查询审计日志 +testcase_4(){ + local cmd="sudo ausearch --input-logs -i -ts $(date +\"%m/%d/%g\") -te $(date +\"%m/%d/%g\")" + SshAuto_CmdLocalAud_LTFLIB "$cmd | tail -n ${ViewNum_SOPAud}" "no" "no" + SshAuto_CmdLocalAud_LTFLIB "$cmd" "yes" "no" + TestRetParse_LTFLIB "可以按时间段查询审计日志(仅显示最后${ViewNum_SOPAud}条)" "False" +} + + +## TODO :按账号查询审计日志 +testcase_5(){ + local cmd="sudo ausearch --input-logs -i -ui $(id -u)" + SshAuto_CmdLocalAud_LTFLIB "$cmd | tail -n ${ViewNum_SOPAud}" "no" "no" + SshAuto_CmdLocalAud_LTFLIB "$cmd" "yes" "no" + TestRetParse_LTFLIB "可以按账号查询审计日志(仅显示最后${ViewNum_SOPAud}条)" "False" +} + + +## TODO :按操作类型查询审计日志 +testcase_6(){ + local cmd="sudo ausearch --input-logs -i -x sudo" + SshAuto_CmdLocalAud_LTFLIB "$cmd | tail -n ${ViewNum_SOPAud}" "no" "no" + SshAuto_CmdLocalAud_LTFLIB "$cmd" "yes" "no" + TestRetParse_LTFLIB "按操作类型查询审计日志(仅显示最后${ViewNum_SOPAud}条)" "False" +} + + +## TODO :文件监视审计 +testcase_7(){ + local curdate=$(date "+%m%d%H%M%S") + local tmpkey="ltf_file_${curdate}" + local tmpfile="/tmp/ltfViewTest07_${curdate}" + if [ -f "${tmpfile}" ];then + rm -rf ${tmpfile} + fi + SshAuto_CmdLocalAud_LTFLIB "touch ${tmpfile}" "yes" "no" + + local cmd="sudo ausearch --input-logs -k ${tmpkey}" + # 未设置监控 + SshAuto_CmdLocalAud_LTFLIB "$cmd" "no" "yes" + TestRetParse_LTFLIB "${tmpfile} 文件当前没有设置监控,所以没有监控打印" "False" + + # 设置监控 + SshAuto_CmdLocalAud_LTFLIB "sudo auditctl -w ${tmpfile} -k ${tmpkey}" "no" "no" + TestRetParse_LTFLIB "设置文件 ${tmpfile} 监控打印" "False" + + # 读写测试文件 + SshAuto_CmdLocalAud_LTFLIB "sudo echo \"Hello Kylin ~\" > ${tmpfile}" "no" "no" + TestRetParse_LTFLIB "写文件 ${tmpfile}" "False" + SshAuto_CmdLocalAud_LTFLIB "sudo cat ${tmpfile}" "no" "no" + TestRetParse_LTFLIB "读文件 ${tmpfile}" "False" + + # 设置监控 + SshAuto_CmdLocalAud_LTFLIB "$cmd | tail -n ${ViewNum_SOPAud}" "no" "no" + SshAuto_CmdLocalAud_LTFLIB "$cmd" "yes" "no" + TestRetParse_LTFLIB "存在文件 ${tmpfile} 监控日志志(仅显示最后${ViewNum_SOPAud}条)" "False" + + # 删除测试文件和监控 + if [ -f "${tmpfile}" ];then + SshAuto_CmdLocalAud_LTFLIB "sudo auditctl -W ${tmpfile} -k ${tmpkey}" "yes" "no" + SshAuto_CmdLocalAud_LTFLIB "rm -rf ${tmpfile}" "yes" "no" + fi +} + + +## TODO :目录监视审计 +testcase_8(){ + local curdate=$(date "+%m%d%H%M%S") + local tmpkey="ltf_dir_${curdate}" + local tmpdir="/tmp/ltfViewDor_${curdate}" + if [ -d "${tmpdir}" ];then + rm -rf ${tmpdir} + fi + SshAuto_CmdLocalAud_LTFLIB "mkdir ${tmpdir}" "yes" "no" + + local cmd="sudo ausearch --input-logs -k ${tmpkey}" + # 未设置监控 + SshAuto_CmdLocalAud_LTFLIB "$cmd" "no" "yes" + TestRetParse_LTFLIB "${tmpdir} 目录当前没有设置监控,所以没有监控打印" "False" + + # 设置监控 + SshAuto_CmdLocalAud_LTFLIB "sudo auditctl -w ${tmpdir} -k ${tmpkey}" "no" "no" + TestRetParse_LTFLIB "设置目录 ${tmpdir} 监控打印" "False" + + # 读写测试文件 + SshAuto_CmdLocalAud_LTFLIB "sudo touch ${tmpdir}/testfile" "no" "no" + TestRetParse_LTFLIB "新建文件 ${tmpdir}/testfile" "False" + SshAuto_CmdLocalAud_LTFLIB "sudo ls ${tmpdir}" "no" "no" + TestRetParse_LTFLIB "查看目录 ${tmpdir}" "False" + + # 设置监控 + SshAuto_CmdLocalAud_LTFLIB "$cmd | tail -n ${ViewNum_SOPAud}" "no" "no" + SshAuto_CmdLocalAud_LTFLIB "$cmd" "yes" "no" + TestRetParse_LTFLIB "存在目录 ${tmpdir} 监控日志志(仅显示最后${ViewNum_SOPAud}条)" "False" + + # 删除测试文件和监控 + if [ -d "${tmpdir}" ];then + SshAuto_CmdLocalAud_LTFLIB "sudo auditctl -W ${tmpdir} -k ${tmpkey}" "yes" "no" + SshAuto_CmdLocalAud_LTFLIB "rm -rf ${tmpdir}" "yes" "no" + fi +} + + +## TODO : 测试用例集 +# Out : 0=>TPASS +# 1=>TFAIL +# 2=>TCONF +Testsuite_LTFLIB(){ + testcase_1 + testcase_2 + testcase_3 + testcase_4 + testcase_5 + testcase_6 + testcase_7 + testcase_8 + + return $TPASS +} + + +#----------------------------------------------# + +source "${LIB_LTFLIB}" +Main_LTFLIB $@