Test Plan

for

SuSE Linux Enterprise Server V8

EAL2 Security Function Verification

 

 

Version: 1.9

Owner: Daniel Jones

danjones@us.ibm.com

512.838.1794

IBM Linux Technology Center – Security

11400 Burnet Road

Austin, TX 78758

 


 

It is the responsibility of the user of this document to ensure that they are using the current version of this document. To validate that your copy of this document is at the latest level, view the latest version of this document,  http://eclipse.ltc.austin.ibm.com/EAL2/eal2_test_plan.html.

 

 

 

Table of Contents

 

Document Control

Reviewers

This document is distributed by 7UGA 5R Linux OS – Maroon. The latest version can be obtained internally from  http://eclipse.ltc.austin.ibm.com/EAL2/eal2_test_plan.html

Name

Organization

Daniel Jones

7UGA 5R Linux OS – Maroon

Doc Shankar

7UGA 5R Linux OS – Maroon

Emily Ratliff

7UGA 5R Linux OS – Maroon

Klaus Weidner

@sec information security GmbH

 

Change Summary

Date

Version

Description of Changes

03/19/2003

Draft 0.1

Initial Draft

03/27/2003

Draft 0.2

Added Entry/Exit Criteria, test tool descriptions, SMP test requirements, completed test cases.

04/01/2003

Draft 0.3

Added completed test cases, system call tests, additional software, installation of test environment.

04/04/2003

Draft 0.4

Added test environment install section, ftp database, lstat syscall. Modified H/W requirements.

04/10/2003

Draft 0.5

Added completed test cases, manual test for /etc/securetty and /etc/inittab. Added “make” to additional software.

Removed non-security relevant system calls. Added TSF Databases and Administrator Programs.

04/14/2003

Draft 0.6

Added statement about TOE modifications for testing. Added completed test cases.

04/16/2003

1.0

Added completed test cases. Corrected test case execution instructions. Made mingetty not required.

04/17/2003

1.1

Added instructions for manual mount tests.

04/18/2003

1.2

Add requirement to reboot system before re-executing the test suite.

04/24/2003

1.3

Fix unixdomainsocketperm01 testname. Added testcases for setfsuid/setfsgid. Added manual test for login.

04/25/2003

1.4

Correct mingetty manual test instructions.

05/01/2003

1.5

Added manual perl install instructions.

05/05/2003

1.6

Perform initial ssh to localhost.. Corrected script to install perl.

05/08/2003

1.7

Correct tests for removexattr.

05/16/2003

1.8

Add requirement for adherence to security guide.

05/19/2003

1.9

Removed FAIL comment from unixdomainsocketperm01 test.

Overview

Purpose

The purpose of the Security Function Verification test is to demonstrate the correct operation of security functions identified in the SuSE Linux Enterprise Server V8 (SLES8) Security Target for EAL2. The term “correct operation” is defined to include appropriate failures for unauthorized or invalid access to security functions.

Scope

The tests cases identified in this test plan are limited to those areas that enforce the secure operation of SLES8. Furthermore, only features and functions contained in the SLES8 Security Target for EAL2 are addressed. Test cases are designed to verify the correct operation of security related user programs, databases (files), and system calls. Testing for system availability in a stress environment is beyond the scope of this plan.

Environment

The following hardware and software will be used:

Hardware

Linux Distros

Version

Additional Software

IBM xSeries - Pentium 4 or Xeon Processor

SuSE Linux Enterprise Sever

V8

expect, perl expect, gcc, flex, make

Serial Terminal (or PC with Terminal Emulation)

N/A

N/A

 

The list of required packages, as well as configuration details will be provided by the EAL 2 evaluation security guide. The setup of the test machine(s) must conform strictly with the instructions and configuration details described in the EAL 2 evaluation security guide.

The selected hardware will be tested in uniprocessor and SMP configurations. The objective is to provide test coverage for both the k_deflt and k_smp kernel packages.

Assumptions and Dependencies

Assumptions

    • Expect, perl expect, gcc, flex and make packages are installed.
    • The test cases will execute local to the test target machine (i.e. not as a remote client).

Dependencies

    • Completion of test case development.
    • Completion of the security guide.
    • Availability of suitable hardware.

Test Approach and Methodology

    • The test suite package includes the PAN testing framework.
    • Where suitable, tests available from the Linux Test Project (LTP) have been utilized.
    • Where possible, the test suite is designed to run automatically, without user intervention.
    • Test cases are self contained and create/remove any resources required for validation (i.e. users, groups, files).
    • Test case source code contains descriptions of the test objective, the method of verification, and the expected result.
    • Test cases are self reporting. Each test case will check the actual result against the expected result and output a PASS/FAIL status.
    • Test cases may be executed individually without requiring the entire test suite to run.
    • Manual testing is performed only when automated options are not available.

Installation of Test Environment

Install gcc, expect, & flex

o       Launch “yast

o       Goto Software à Install/Remove Software

o       Goto search and search for “gcc

o       Select “gcc” & “gcc-c++” by selecting them and pressing “+”

o       Goto search and search for “make”

o       Select “make” by selecting it and pressing “+”

o       Goto search and search for “expect”

o       Select “expect” by selecting it and pressing “+”

o       Goto search and search for “lex

o       Select “flex” by selecting it and pressing “+”

Install perl expect

For internet connected host

#Enter the following command:

perl -MCPAN -e shell

 

#Answer “no” to the following prompt::

Are you ready for manual configuration ? [yes] no

 

#At the cpan prompt run the “install Expect” command:

cpan>install Expect

 

#Answer “yes” to the following prompt:

Shall I follow then and prepend to the queue of modules

we are processing right now? [yes] yes

 

#Quit the program

cpan>quit

 

For non-internet connected host

# Download the required files on an Internet-connected machine:

wget http://www.cpan.org/authors/id/R/RG/RGIERSIG/IO-Tty-1.02.tar.gz

wget http://www.cpan.org/authors/id/R/RG/RGIERSIG/Expect-1.15.tar.gz

 

# Transfer the files to the target machine, and run the following to

# install the Perl modules:

for f in IO-Tty*tar.gz Expect*tar.gz; do (

            gzip -dc "$f" | tar xf -

            cd `basename "$f" .tar.gz`

            perl Makefile.PL

            make && make install

            cd -

) done

Target of Evaluation (TOE) Compliance

The following packages are added through yast2, including dependencies added automatically (verified through 'rpmqpack' output):

o                    binutils
o                    cpp
o                    expect
o                    flex
o                    gcc
o                    gcc-c++
o                    glibc-devel
o                    libstdc++-devel
o                    make
o                    tcl
o                    tk
o                    xshared

The 'Expect.pm' module needed for Perl tests installs the following Perl packages (not through Yast2, the command used is "perl -mCPAN -e 'Install Expect'"):

o                    IO-Tty-1.02.tar.gz
o                    Expect-1.15.tar.gz

These modifications are all permitted according to the Security Guide ("Reviewing the system configuration"). There are no configuration violations such as setuid/setgid binaries, daemons, startup scripts or other prohibited changes. After installation of the test environment, the system remains compliant with the TOE.

Test Execution

NOTE

Some tests may leave the machine in an inconsistent state and cause the cron tests to fail. To avoid these spurious cron failures, the test host must  be rebooted before attempting to run the test suite again.

LTP Compliant Testcases

    • Execute initial ssh to localhost as root to establish authenticity of ‘localhost’. (This only needs to be performed once per freshly installed machine).
    • Retrieve linux_security_test_suite_EAL2.tar.gz from the “Extending LTP” IIOSB project to the target test machine.
    • Unzip/untar file into a directory readable by all (for example, /test_EAL2).
    • cd to ltp_EAL2 subdirectory (for example /test_EAL2/ltp_EAL2).
    • As root user, run “make”.
    • As root user, run “make install”.
    • Export “.” To PATH (i.e. export PATH=$PATH:.).
    • Export the root password in the ROOT_PASSWORD environment variable.
    • As root user, run “./runalltests.sh –N –p –l <logfile>”
    • View the test execution results in the results/<logfile> file.
    • To execute a single test case, cd to ltp_EAL2/testcases/bin directory and run the desired test (for example ./chmod01). Test results will output to stdout.

At Testcase (standalone)

    • cd to at_test_EAL subdirectory.
    • As root user, run “sh runme.sh 2>&1 | tee <output file>”
    • View execution results in <output file>

ACL Testcases (standalone)

    • cd to ext3_ACLS_tests subdirectory.
    • As root user, run “sh runme
    • View execution results in the ACL_TEST_RESULTS.log file.

Manual Tests

    • See appendix B.

System Test Entry Criteria

    • System test will begin on April 1, 2003 with available test cases.
    • Additional test cases may be delivered to the system test team until April 15th.

System Test Exit Criteria

    • At least 95% of the test cases must pass.
    • No critical defects remain open.
    • Tests executed on IBM xSeries - Pentium 4 or Xeon Processor hardware platform.

Problem Reporting and Tracking

    • SLES 8 product defects will be recorded in the “service” family in LTC Bugzilla.
    • Test case defects will be recorded in the “Bluefortress” family in LTC Bugzilla.
       

Test Case Information

Test Tools

    • PAN – Test framework used by the Linux Test Project (LTP).
    • expect / perl expect – A tool for automating interactive applications such as login, ssh, etc.

Security Function, Test Location

User Databases

Name

Location

Comments

/etc/at.allow

/etc/at.deny

ltp_EAL2/testcases/admin_tools/at/at_allow01

ltp_EAL2/testcases/admin_tools/at/at_deny01

 

/etc/cron.d/*

ltp_EAL2/testcases/admin_tools/cron/cron_dirs_checks01

 

/etc/cron.daily/

ltp_EAL2/testcases/admin_tools/cron/cron_dirs_checks01

 

/etc/cron.hourly/

ltp_EAL2/testcases/admin_tools/cron/cron_dirs_checks01

 

/etc/cron.monthly/

ltp_EAL2/testcases/admin_tools/cron/cron_dirs_checks01

 

/etc/cron.weekly/

ltp_EAL2/testcases/admin_tools/cron/cron_dirs_checks01

 

/etc/crontab

ltp_EAL2/testcases/admin_tools/cron/cron01

ltp_EAL2/testcases/admin_tools/cron/cron02

 

/etc/ftpusers

ltp_EAL2/testcases/user_databases/ftpusers01

 

/etc/group

ltp_EAL2/testcases/user_databases/group01

 

/etc/gshadow

ltp_EAL2/testcases/user_databases/group01

 

/etc/inittab

manual test

see appendix B

/etc/ld.so.conf

ltp_EAL2/testcases/user_databases/ld.so.conf01

 

/etc/login.defs

ltp_EAL2/testcases/user_databases/passwd01

ltp_EAL2/testcases/user_databases/passwd02

ltp_EAL2/testcases/user_databases/passwd03

 

/etc/modules.conf

ltp_EAL2/testcases/admin_tools/modules.conf/modules.conf01

ltp_EAL2/testcases/admin_tools/modules.conf/modules.conf02

 

/etc/pam.d

ltp_EAL2/testcases/user_databases/pam01

 

/etc/passwd

ltp_EAL2/testcases/user_databases/passwd01

ltp_EAL2/testcases/user_databases/passwd02

ltp_EAL2/testcases/user_databases/passwd03

 

/etc/securetty

manual test

see appendix B

/etc/security/pam_pwcheck.conf

ltp_EAL2/testcases/user_databases/pam01

ltp_EAL2/testcases/user_databases/passwd01

ltp_EAL2/testcases/user_databases/passwd02

ltp_EAL2/testcases/user_databases/passwd03

 

/etc/security/pam_unix2.conf

ltp_EAL2/testcases/user_databases/pam01

ltp_EAL2/testcases/user_databases/passwd01

ltp_EAL2/testcases/user_databases/passwd02

ltp_EAL2/testcases/user_databases/passwd03

 

/etc/shadow

ltp_EAL2/testcases/user_databases/shadow01

 

/etc/ssh/ssh_config

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh01

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh02

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh03

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh04

 

/etc/ssh/sshd_config

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh01

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh02

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh03

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh04

 

/etc/sysconfig/*

ltp_EAL2/testcases/admin_tools/sysconfig/sysconfig01

 

/etc/vsftpd.conf

ltp_EAL2/testcases/user_databases/ftpusers01

 

/etc/xinetd.conf

ltp_EAL2/testcases/user_databases/ftpusers01

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp02

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp03

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp04

implicit testing by ftp

/usr/lib/cracklib_dict.*

ltp_EAL2/testcases/user_databases/pam01

ltp_EAL2/testcases/user_databases/passwd01

ltp_EAL2/testcases/user_databases/passwd02

ltp_EAL2/testcases/user_databases/passwd03

 

/var/log/faillog

ltp_EAL2/testcases/user_databases/faillog01

 

/var/log/lastlog

ltp_EAL2/testcases/user_databases/lastlog01

 

/var/spool/atjobs

at_test_EAL2/runme.sh

 

/var/spool/cron/*

ltp_EAL2/testcases/admin_tools/cron/cron_dirs_checks01

 

/var/spool/cron/allow

/var/spool/cron/deny

ltp_EAL2/testcases/admin_tools/cron/cron_allow01

ltp_EAL2/testcases/admin_tools/cron/cron_deny01

 

Administration Tools

Name

Location

Comments

/bin/login

manual test

see appendix B

/bin/ping

ltp_EAL2/testcases/network/tcp_cmds/ping/ping01

 

/bin/su

ltp_EAL2/testcases/admin_tools/su/su01

 

/sbin/agetty

manual test

see appendix B

/sbin/mingetty

manual test

see appendix B – not required

/usr/bin/at

at_test_EAL2/runme.sh

standalone test

/usr/bin/chage

ltp_EAL2/testcases/user_databases/shadow01

 

/usr/bin/chfn

ltp_EAL2/testcases/user_databases/passwd02

 

/usr/bin/chsh

ltp_EAL2/testcases/user_databases/passwd03

 

/usr/bin/crontab

ltp_EAL2/testcases/admin_tools/cron/cron01

ltp_EAL2/testcases/admin_tools/cron/cron02

 

/usr/bin/passwd

ltp_EAL2/testcases/user_databases/pam01

ltp_EAL2/testcases/user_databases/passwd01

ltp_EAL2/testcases/user_databases/passwd02

ltp_EAL2/testcases/user_databases/passwd03

 

/usr/sbin/atd

at_test_EAL2/runme.sh

 

/usr/sbin/cron

ltp_EAL2/testcases/admin_tools/cron/cron01

ltp_EAL2/testcases/admin_tools/cron/cron02

 

/usr/sbin/groupadd

ltp_EAL2/testcases/user_databases/group01

 

/usr/sbin/groupdel

ltp_EAL2/testcases/user_databases/group01

 

/usr/sbin/groupmod

ltp_EAL2/testcases/user_databases/group01

 

/usr/sbin/sshd

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh01

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh02

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh03

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh04

 

/usr/sbin/useradd

ltp_EAL2/testcases/user_databases/passwd01

ltp_EAL2/testcases/user_databases/passwd02

ltp_EAL2/testcases/user_databases/passwd03

ltp_EAL2/testcases/user_databases/pam01

ltp_EAL2/testcases/user_databases/shadow01

ltp_EAL2/testcases/user_databases/group01

ltp_EAL2/testcases/user_databases/ftpusers01

 

/usr/sbin/userdel

ltp_EAL2/testcases/user_databases/passwd01

ltp_EAL2/testcases/user_databases/passwd02

ltp_EAL2/testcases/user_databases/passwd03

ltp_EAL2/testcases/user_databases/pam01

ltp_EAL2/testcases/user_databases/shadow01

ltp_EAL2/testcases/user_databases/group01

ltp_EAL2/testcases/user_databases/ftpusers01

 

/usr/sbin/usermod

ltp_EAL2/testcases/user_databases/group01

 

/usr/sbin/vsftpd

ltp_EAL2/testcases/user_databases/ftpusers01

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp02

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp03

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp04

 

/usr/sbin/xinetd

ltp_EAL2/testcases/user_databases/ftpusers01

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp02

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp03

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp04

implicit testing by ftp

/sbin/init

manual test

see appendix B

Network Commands

Name

Location

Comments

ftp

ltp_EAL2/testcases/user_databases/ftpusers01

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp02

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp03

ltp_EAL2/testcases/network/tcp_cmds/ftp/ftp04

 

ssh

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh01

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh02

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh03

ltp_EAL2/testcases/network/tcp_cmds/ssh/ssh04

 

File IO System Calls

Name

Location

Comments

access()

ltp_EAL2/testcases/kernel/syscalls/access/access01.c

ltp_EAL2/testcases/kernel/syscalls/access/access02.c

ltp_EAL2/testcases/kernel/syscalls/access/access03.c

ltp_EAL2/testcases/kernel/syscalls/access/access04.c

ltp_EAL2/testcases/kernel/syscalls/access/access05.c

 

bind()

ltp_EAL2/testcases/kernel/syscalls/bind/bind01.c

ltp_EAL2/testcases/kernel/syscalls/bind/bind02

 

capset()

ltp_EAL2/testcases/kernel/syscalls/capset/capset01.c

ltp_EAL2/testcases/kernel/syscalls/capset/capset02.c

 

chdir()

ltp_EAL2/testcases/kernel/syscalls/chdir/chdir01.c

ltp_EAL2/testcases/kernel/syscalls/chdir/chdir02.c

ltp_EAL2/testcases/kernel/syscalls/chdir/chdir03.c

ltp_EAL2/testcases/kernel/syscalls/chdir/chdir04.c

 

chmod()

ltp_EAL2/testcases/kernel/syscalls/chmod/chmod01.c

ltp_EAL2/testcases/kernel/syscalls/chmod/chmod02.c

ltp_EAL2/testcases/kernel/syscalls/chmod/chmod03.c

ltp_EAL2/testcases/kernel/syscalls/chmod/chmod04.c

ltp_EAL2/testcases/kernel/syscalls/chmod/chmod05.c

ltp_EAL2/testcases/kernel/syscalls/chmod/chmod06.c

ltp_EAL2/testcases/kernel/syscalls/chmod/chmod07.c

 

chown()

ltp_EAL2/testcases/kernel/syscalls/chown/chown01.c

ltp_EAL2/testcases/kernel/syscalls/chown/chown02.c

ltp_EAL2/testcases/kernel/syscalls/chown/chown03.c

ltp_EAL2/testcases/kernel/syscalls/chown/chown04.c

ltp_EAL2/testcases/kernel/syscalls/chown/chown05.c

 

creat()

ltp_EAL2/testcases/kernel/syscalls/creat/creat01.c

ltp_EAL2/testcases/kernel/syscalls/creat/creat03.c

ltp_EAL2/testcases/kernel/syscalls/creat/creat04.c

ltp_EAL2/testcases/kernel/syscalls/creat/creat05.c

ltp_EAL2/testcases/kernel/syscalls/creat/creat06.c

ltp_EAL2/testcases/kernel/syscalls/creat/creat07.c

ltp_EAL2/testcases/kernel/syscalls/creat/creat08.c

ltp_EAL2/testcases/kernel/syscalls/creat/creat09.c

 

create_module()

ltp_EAL2/testcases/kernel/syscalls/create_module/create_module01.c

ltp_EAL2/testcases/kernel/syscalls/create_module/create_module02.c

 

delete_module()

ltp_EAL2/testcases/kernel/syscalls/delete_module/delete_module01.c

ltp_EAL2/testcases/kernel/syscalls/delete_module/delete_module02.c

ltp_EAL2/testcases/kernel/syscalls/delete_module/delete_module03.c

 

execve()

ltp_EAL2/testcases/kernel/syscalls/execve/execve01.c

ltp_EAL2/testcases/kernel/syscalls/execve/execve02.c

ltp_EAL2/testcases/kernel/syscalls/execve/execve03.c

ltp_EAL2/testcases/kernel/syscalls/execve/execve04.c

ltp_EAL2/testcases/kernel/syscalls/execve/execve05.c

ltp_EAL2/testcases/kernel/syscalls/execve/execve06.c

 

fchmod()

ltp_EAL2/testcases/kernel/syscalls/fchmod/fchmod01.c

ltp_EAL2/testcases/kernel/syscalls/fchmod/fchmod02.c

ltp_EAL2/testcases/kernel/syscalls/fchmod/fchmod03.c

ltp_EAL2/testcases/kernel/syscalls/fchmod/fchmod04.c

ltp_EAL2/testcases/kernel/syscalls/fchmod/fchmod05.c

ltp_EAL2/testcases/kernel/syscalls/fchmod/fchmod06.c

ltp_EAL2/testcases/kernel/syscalls/fchmod/fchmod07.c

 

fchown()

ltp_EAL2/testcases/kernel/syscalls/fchown/fchown01.c

ltp_EAL2/testcases/kernel/syscalls/fchown/fchown02.c

ltp_EAL2/testcases/kernel/syscalls/fchown/fchown03.c

ltp_EAL2/testcases/kernel/syscalls/fchown/fchown04.c

ltp_EAL2/testcases/kernel/syscalls/fchown/fchown05.c

 

fremovexattr()

ltp_EAL2/testcases/admin_tools/acls/acl_test01

using syscall 237

fsetxattr()

ltp_EAL2/testcases/admin_tools/acls/acl_test01

using syscall 228

init_module()

 

covered by access rights checking for

modules.conf and /lib/modules directory.

ioperm()

ltp_EAL2/testcases/kernel/syscalls/ioperm/ioperm01.c

ltp_EAL2/testcases/kernel/syscalls/ioperm/ioperm02.c

 

iopl()

ltp_EAL2/testcases/kernel/syscalls/iopl/iopl01.c

ltp_EAL2/testcases/kernel/syscalls/iopl/iopl02.c

 

lchown()

ltp_EAL2/testcases/kernel/syscalls/lchown/lchown01.c

ltp_EAL2/testcases/kernel/syscalls/lchown/lchown02.c

 

link()

ltp_EAL2/testcases/kernel/syscalls/link/link02.c

ltp_EAL2/testcases/kernel/syscalls/link/link03.c

ltp_EAL2/testcases/kernel/syscalls/link/link04.c

ltp_EAL2/testcases/kernel/syscalls/link/link05.c

ltp_EAL2/testcases/kernel/syscalls/link/link06.c

ltp_EAL2/testcases/kernel/syscalls/link/link07.c

 

lremovexattr()

ltp_EAL2/testcases/admin_tools/acls/acl_test01

using syscall 236

lsetxattr()

ltp_EAL2/testcases/admin_tools/acls/acl_test01

using syscall 227

mkdir()

ltp_EAL2/testcases/kernel/syscalls/mkdir/mkdir01.c

ltp_EAL2/testcases/kernel/syscalls/mkdir/mkdir02.c

ltp_EAL2/testcases/kernel/syscalls/mkdir/mkdir03.c

ltp_EAL2/testcases/kernel/syscalls/mkdir/mkdir04.c

ltp_EAL2/testcases/kernel/syscalls/mkdir/mkdir05.c

ltp_EAL2/testcases/kernel/syscalls/mkdir/mkdir08.c

ltp_EAL2/testcases/kernel/syscalls/mkdir/mkdir09.c

 

mknod()

 

tested by “Process Control 

unnamed pipes”

mount()

ltp_EAL2/testcases/kernel/syscalls/mount/mount01.c

ltp_EAL2/testcases/kernel/syscalls/mount/mount02.c

ltp_EAL2/testcases/kernel/syscalls/mount/mount03.c

ltp_EAL2/testcases/kernel/syscalls/mount/mount04.c

manual tests – requires unmounted

block device

open()

ltp_EAL2/testcases/kernel/syscalls/open/open01.c

ltp_EAL2/testcases/kernel/syscalls/open/open02.c

ltp_EAL2/testcases/kernel/syscalls/open/open03.c

ltp_EAL2/testcases/kernel/syscalls/open/open04.c

ltp_EAL2/testcases/kernel/syscalls/open/open05.c

ltp_EAL2/testcases/kernel/syscalls/open/open06.c

ltp_EAL2/testcases/kernel/syscalls/open/open07.c

ltp_EAL2/testcases/kernel/syscalls/open/open08.c

ltp_EAL2/testcases/kernel/syscalls/open/open09.c

ltp_EAL2/testcases/kernel/syscalls/open/open10.c

 

ptrace()

ltp_EAL2/testcases/kernel/syscalls/ptrace/ptrace01.c

ltp_EAL2/testcases/kernel/syscalls/ptrace/ptrace02.c

ltp_EAL2/testcases/kernel/syscalls/ptrace/ptrace03.c

 

removexattr()

ext3_ACLs_tests/acl-tests/misc.test

see Ext3 ACLs

rename()

ltp_EAL2/testcases/kernel/syscalls/rename/rename01.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename02.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename03.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename04.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename05.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename06.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename07.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename08.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename09.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename10.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename12.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename13.c

ltp_EAL2/testcases/kernel/syscalls/rename/rename14.c

 

rmdir()

ltp_EAL2/testcases/kernel/syscalls/rmdir/rmdir01.c

ltp_EAL2/testcases/kernel/syscalls/rmdir/rmdir02.c

ltp_EAL2/testcases/kernel/syscalls/rmdir/rmdir03.c

ltp_EAL2/testcases/kernel/syscalls/rmdir/rmdir04.c

ltp_EAL2/testcases/kernel/syscalls/rmdir/rmdir05.c

 

setfsgid()

ltp_EAL2/testcases/kernel/syscalls/setfsgid/setfsgid01.c

ltp_EAL2/testcases/kernel/syscalls/setfsgid/setfsgid02.c

ltp_EAL2/testcases/kernel/syscalls/setfsgid/setfsgid03.c

 

setfsuid()

ltp_EAL2/testcases/kernel/syscalls/setfsuid/setfsuid01.c

ltp_EAL2/testcases/kernel/syscalls/setfsuid/setfsuid02.c

ltp_EAL2/testcases/kernel/syscalls/setfsuid/setfsuid03.c

 

setgroups()

ltp_EAL2/testcases/kernel/syscalls/setgroups/setgroups01.c

ltp_EAL2/testcases/kernel/syscalls/setgroups/setgroups02.c

ltp_EAL2/testcases/kernel/syscalls/setgroups/setgroups03.c

ltp_EAL2/testcases/kernel/syscalls/setgroups/setgroups04.c

 

socketcall()

ltp_EAL2/testcases/kernel/syscalls/socketcall/socketcall01.c

ltp_EAL2/testcases/kernel/syscalls/socketcall/socketcall02.c

ltp_EAL2/testcases/kernel/syscalls/socketcall/socketcall03.c

ltp_EAL2/testcases/kernel/syscalls/socketcall/socketcall04.c

tested by “Process Control 

internet domain sockets”

setxattr()

ltp_EAL2/testcases/ext3_acls/file/acl_file01

ext3_ACLs_tests/acl-tests/permissions.test

ext3_ACLs_tests/acl-tests/setfacl.test

ext3_ACLs_tests/acl-tests/getfacl-noacl.test

ext3_ACLs_tests/acl-tests/misc.test

see Ext3 ACLs

swapon()

ltp_EAL2/testcases/kernel/syscalls/swapon/swapon01.c

ltp_EAL2/testcases/kernel/syscalls/swapon/swapon02.c

 

symlink()

ltp_EAL2/testcases/kernel/syscalls/symlink/symlink01.c

ltp_EAL2/testcases/kernel/syscalls/symlink/symlink02.c

ltp_EAL2/testcases/kernel/syscalls/symlink/symlink03.c

ltp_EAL2/testcases/kernel/syscalls/symlink/symlink04.c

ltp_EAL2/testcases/kernel/syscalls/symlink/symlink05.c

 

truncate()

ltp_EAL2/testcases/kernel/syscalls/truncate/truncate01.c

ltp_EAL2/testcases/kernel/syscalls/truncate/truncate02.c

ltp_EAL2/testcases/kernel/syscalls/truncate/truncate03.c

ltp_EAL2/testcases/kernel/syscalls/truncate/truncate04.c

 

umask()

ltp_EAL2/testcases/kernel/syscalls/umask/umask01.c

ltp_EAL2/testcases/kernel/syscalls/umask/umask02.c

ltp_EAL2/testcases/kernel/syscalls/umask/umask03.c

 

unlink()

ltp_EAL2/testcases/kernel/syscalls/unlink/unlink05.c

ltp_EAL2/testcases/kernel/syscalls/unlink/unlink06.c

ltp_EAL2/testcases/kernel/syscalls/unlink/unlink07.c

ltp_EAL2/testcases/kernel/syscalls/unlink/unlink08.c

 

utime()

ltp_EAL2/testcases/kernel/syscalls/utime/utime01.c

ltp_EAL2/testcases/kernel/syscalls/utime/utime02.c

ltp_EAL2/testcases/kernel/syscalls/utime/utime03.c

ltp_EAL2/testcases/kernel/syscalls/utime/utime04.c

ltp_EAL2/testcases/kernel/syscalls/utime/utime05.c

ltp_EAL2/testcases/kernel/syscalls/utime/utime06.c

 

Process Contol System Calls

Name

Location

Comments

named pipes

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe01.c

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe02.c

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe03.c

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe04.c

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe05.c

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe06.c

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe07.c

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe08.c

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe09.c

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe10.c

ltp_EAL2/testcases/kernel/syscalls/pipe/pipe11.c

 

unnamed pipes

mknod()

ltp_EAL2/testcases/kernel/syscalls/mknod/mknod01.c

ltp_EAL2/testcases/kernel/syscalls/mknod/mknod02.c

ltp_EAL2/testcases/kernel/syscalls/mknod/mknod03.c

ltp_EAL2/testcases/kernel/syscalls/mknod/mknod04.c

ltp_EAL2/testcases/kernel/syscalls/mknod/mknod05.c

ltp_EAL2/testcases/kernel/syscalls/mknod/mknod06.c

ltp_EAL2/testcases/kernel/syscalls/mknod/mknod07.c

ltp_EAL2/testcases/kernel/syscalls/mknod/mknod08.c

 

signals

ltp_EAL2/testcases/kernel/syscalls/signals/signal01.c

ltp_EAL2/testcases/kernel/syscalls/signals/signal02.c

ltp_EAL2/testcases/kernel/syscalls/signals/signal03.c

ltp_EAL2/testcases/kernel/syscalls/signals/signal04.c

ltp_EAL2/testcases/kernel/syscalls/signals/signal05.c

ltp_EAL2/testcases/kernel/syscalls/sigaction/sigaction01.c

ltp_EAL2/testcases/kernel/syscalls/sigaction/sigaction02.c

ltp_EAL2/testcases/kernel/syscalls/sigaltstack/sigaltstack01.c

ltp_EAL2/testcases/kernel/syscalls/sigaltstack/sigaltstack02.c

ltp_EAL2/testcases/kernel/syscalls/sighold/sighold02.c

ltp_EAL2/testcases/kernel/syscalls/sigprocmask/sigprocmask01.c

ltp_EAL2/testcases/kernel/syscalls/sigrelse/sigrelse01.c

ltp_EAL2/testcases/kernel/syscalls/sigsuspend/sigsuspend01.c

 

semaphores

semctl()

semget()

ltp_EAL2/testcases/kernel/syscalls/ipc/semctl/semctl01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semctl/semctl02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semctl/semctl03.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semctl/semctl04.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semctl/semctl05.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semctl/semctl06.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semctl/semctl07.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semget/semget01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semget/semget02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semget/semget03.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semget/semget04.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semget/semget05.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semget/semget06.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semop/semop01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semop/semop02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semop/semop03.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semop/semop04.c

ltp_EAL2/testcases/kernel/syscalls/ipc/semop/semop05.c

 

shared memory

shmat()

shmctl()

shmget()

ltp_EAL2/testcases/kernel/syscalls/ipc/shmat/shmat01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmat/shmat02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmat/shmat03.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmctl/shmctl01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmctl/shmctl02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmctl/shmctl03.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmctl/shmctl04.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmdt/shmdt01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmdt/shmdt02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmget/shmget01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmget/shmget02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmget/shmget03.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmget/shmget04.c

ltp_EAL2/testcases/kernel/syscalls/ipc/shmget/shmget05.c

 

message queues

msgctl()

msgget()

ltp_EAL2/testcases/kernel/syscalls/ipc/msgctl/msgctl01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgctl/msgctl02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgctl/msgctl03.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgctl/msgctl04.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgctl/msgctl05.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgctl/msgctl06.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgctl/msgctl07.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgctl/msgctl08.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgctl/msgctl09.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgget/msgget01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgget/msgget02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgget/msgget03.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgget/msgget04.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgrcv/msgrcv01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgrcv/msgrcv02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgrcv/msgrcv03.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgrcv/msgrcv04.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgrcv/msgrcv05.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgrcv/msgrcv06.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgsmd/msgsnd01.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgsmd/msgsnd02.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgsmd/msgsnd03.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgsmd/msgsnd04.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgsmd/msgsnd05.c

ltp_EAL2/testcases/kernel/syscalls/ipc/msgsmd/msgsnd06.c

 

ipc()

 

tested by semaphore, shared

memory and message queues.

internet domain sockets

socketcall()

ltp_EAL2/testcases/kernel/syscalls/socket/socket01.c

ltp_EAL2/testcases/kernel/syscalls/socketcall/socketcall01.c

ltp_EAL2/testcases/kernel/syscalls/socketcall/socketcall02.c

ltp_EAL2/testcases/kernel/syscalls/socketcall/socketcall03.c

ltp_EAL2/testcases/kernel/syscalls/socketcall/socketcall04.c

ltp_EAL2/testcases/kernel/syscalls/socketpair/socketpair01.c

ltp_EAL2/testcases/kernel/syscalls/socketioctl/sockioctl01.c

 

unix domain sockets

 

tested by File Access Permission 

VMM System Calls

Name

Location

Comments

brk()

ltp_EAL2/testcases/kernel/syscalls/brk/brk01.c

 

sbrk()

ltp_EAL2/testcases/kernel/syscalls/sbrk/sbrk01.c

 

Identification & Authorization System Calls

Name

Location

Comments

setuid()

ltp_EAL2/testcases/kernel/syscalls/setuid/setuid01.c

ltp_EAL2/testcases/kernel/syscalls/setuid/setuid02.c

ltp_EAL2/testcases/kernel/syscalls/setuid/setuid03.c

 

setreuid()

ltp_EAL2/testcases/kernel/syscalls/setreuid/setreuid01.c

ltp_EAL2/testcases/kernel/syscalls/setreuid/setreuid02.c

ltp_EAL2/testcases/kernel/syscalls/setreuid/setreuid03.c

ltp_EAL2/testcases/kernel/syscalls/setreuid/setreuid04.c

ltp_EAL2/testcases/kernel/syscalls/setreuid/setreuid05.c

ltp_EAL2/testcases/kernel/syscalls/setreuid/setreuid06.c

 

setresuid()

ltp_EAL2/testcases/kernel/syscalls/setreusid/setresuid01.c

ltp_EAL2/testcases/kernel/syscalls/setreusid/setresuid02.c

ltp_EAL2/testcases/kernel/syscalls/setreusid/setresuid03.c

 

setgid()

ltp_EAL2/testcases/kernel/syscalls/setgid/setgid01.c

ltp_EAL2/testcases/kernel/syscalls/setgid/setgid02.c

ltp_EAL2/testcases/kernel/syscalls/setgid/setgid03.c

 

setregid()

ltp_EAL2/testcases/kernel/syscalls/setregid/setregid01.c

ltp_EAL2/testcases/kernel/syscalls/setregid/setregid02.c

ltp_EAL2/testcases/kernel/syscalls/setregid/setregid03.c

ltp_EAL2/testcases/kernel/syscalls/setregid/setregid04.c

 

setresgid()

ltp_EAL2/testcases/kernel/syscalls/setresgid/setresgid01.c

ltp_EAL2/testcases/kernel/syscalls/setresgid/setresgid02.c

ltp_EAL2/testcases/kernel/syscalls/setresgid/setresgid03.c

 

ACL System Calls

Name

Location

Comments

getxattr()

 

tested indirectly by Ext3 ACLs

listxattr()

 

tested indirectly by Ext3 ACLs

removexattr()

 

tested indirectly by Ext3 ACLs

setxattr()

 

tested indirectly by Ext3 ACLs

File Access Permission

Name

Location

Comments

file

ltp_EAL2/testcases/file_access_perm/file/fileperm01

 

directory

ltp_EAL2/testcases/file_access_perm/directory/dirperm01

 

shared memory

ltp_EAL2/testcases/file_access_perm/shared_memory/shmperm01

 

message queues

ltp_EAL2/testcases/file_access_perm/message_queues/msqperm01

 

semaphores

ltp_EAL2/testcases/file_access_perm/semaphore/semperm01

 

socket special files

(unix domain socket)

ltp_EAL2/testcases/file_access_perm/unixdomainsocket/unixdomainsocketperm01

 

device special files

ltp_EAL2/testcases/file_access_perm/dev_spc_files/devfileperm01

 

named pipes

ltp_EAL2/testcases/file_access_perm/namedpipes/namedpipes01

 

proc file system

ltp_EAL2/testcases/file_access_perm/proc_file_sys/procperm01

 

SUID/SGID

ltp_EAL2/testcases/file_access_perm/suid_sgid/suid_sgid01

 

Ext3 ACLs

Name

Location

Comments

file

ltp_EAL2/testcases/ext3_acls/file/acl_file01

ext3_ACLs_tests/acl-tests/permissions.test

ext3_ACLs_tests/acl-tests/setfacl.test

ext3_ACLs_tests/acl-tests/getfacl-noacl.test

ext3_ACLs_tests/acl-tests/misc.test

 

directory

ext3_ACLs_tests/acl-tests/permissions.test

ext3_ACLs_tests/acl-tests/setfacl.test

ext3_ACLs_tests/acl-tests/misc.test

 

device special files

ext3_ACLs_tests/acl-tests/permissions.test

 

named pipes

ext3_ACLs_tests/acl-tests/permissions.test

 

Object Reuse

Name

Location

Comments

memory

ltp_EAL2/testcases/object_reuse/objreuse-brk.c

 

file

ltp_EAL2/testcases/object_reuse/objreuse-ftruncate.c

ltp_EAL2/testcases/object_reuse/objreuse-lseek.c

 

shared memory

ltp_EAL2/testcases/object_reuse/objreuse-shm.c

 

message queues

ltp_EAL2/testcases/object_reuse/objreuse-msg.c

 

semaphores

ltp_EAL2/testcases/object_reuse/objreuse-sem.c

 

mmap

ltp_EAL2/testcases/object_reuse/objreuse-mmap.c

 

 

Appendix A

Execution Plan

This is the tentative Execution Plan for SLES8 EAL2 security function verification. This portion of the plan will be updated with actual dates as the product is under test. This document will be the best source to determine in what state the product test is in. It is important to also list key milestones or checkpoints so others will be able to determine how the project is going.

Environment/Checkpoint

Test Cases

Plan Test Start

Actual Test Start

Plan Test Completion

Actual Completion

All test cases have been written

N/A

01/01/2003

02/10/2003

03/31/2003

 04/16/2003

Begin System Test

All

04/01/2003

 04/01/2003

05/01/2003

 

 

Appendix B

Manual Tests

login

o       From the console, attempt to login as root with an invalid password (login should fail)

o       Attempt to login with invalid (non-existing) username. (login should fail)

o       Attempt to login as root with valid password. (login should succeed)

o       Execute “id” command and verify identity (i.e. uid=0)

o       Execute “faillog” command and verify invalid login attempts were recorded.

o       Execute “lastlog” command and verify root user login date/time is correct.

/etc/securetty, /sbin/agetty,

o       Connect serial terminal to target of evaluation.

o       Add the following line to /etc/inittab

§         S0:2345:respawn:/sbin/agetty –L 9600 ttyS0

o       Reboot machine (or change init level).

o       Verify “root” is denied login access from the serial terminal.

o       Add “ttyS0” to the /etc/securetty file.

o       Verify “root” is allowed login access from the serial terminal.

/etc/inittab & /sbin/init

o       Add the following line to /etc/inittab

§         TEAL:2345:respawn:/bin/sleep 300

o       Reboot machine (or change init level).

o       Verify the sleep process is running (psef | grep “/bin/sleep 300”).

o       Remove line from /etc/inittab.

o       Reboot machine (or change init level).

o       Verify the sleep process is not running.

/sbin/mingetty

o       Open a virtual console using Cntrl-Alt-Fn, where n is 1-6.

o       Attempt to login as root with an invalid password. The login operation should fail.

o       Attempt to login as root with a valid operation. The login operation should be successful.

o       Execute “w” command.

o       Verify TTY is correct (i.e. ttyn).

o       Verify USER is “root”.

o       Verify LOGIN@ time is correct (i.e. current time).

mount

o       cd to ltp_EAL2/testcases/bin subdirectory (for example /test_EAL2/ltp_EAL2/testcases/bin).

o       Run “./mount01 –D /dev/...” (where /dev/… is an umounted block device)

o       Run “./mount02 –D /dev/...”

o       Run “./mount03 –D /dev/...”

o       Run “./mount04 –D /dev/...”

 

End of Document

 

Owner: Daniel Jones