Linux Test Project

Test Plan

for

SuSE Linux Enterprise Server V8

EAL3 Security Function Verification


Version: 1.9

Owner: Daniel H. Jones

danjones@us.ibm.com

512.838.1794

IBM Linux Technology Center – Security

11400 Burnet Road

Austin, TX 78758



It is the responsibility of the user of this document to ensure that they are using the current version of this document. To validate that your copy of this document is at the latest level, view the latest version of this document,http://eclipse.ltc.austin.ibm.com/EAL3/EAL3_test_plan.htm


Table of Contents


Document Control

Reviewers

This document is distributed by 7UGA 5R Linux OS – Maroon.

Name

Organization

Daniel Jones

7UGA 5R Linux OS – Maroon

Emily Ratliff

7UGA 5R Linux OS – Maroon

Klaus Weidner

@sec information security GmbH

Change Summary

Date

Version

Description of Changes

10/01/2003

Draft 0.1

initial draft

10/17/2003

Draft 0.2

continued development

10/20/2003

Draft 0.3

Updated OpenSSL test information.

10/23/2003

Draft 0.4

Updated expected results section .

10/24/2003

Draft 0.5

Updated “Internal Interfaces” instructions.

10/29/2003

Draft 0.6

Function test build instructions for ppc64

10/30/2003

Draft 0.7

Added manual libpam/pam_laus tests for /bin/login

11/03/2003

Draft 0.8

Fixed up some pass/fail numbers.

11/04/2003

Draft 0.9

Fixed up some pass/fail numbers.

11/05/2003

Version 1.0

Clean up typos. Reset test case numbers.

11/10/2003

Version 1.1

Included perl-Expect install instructions for eSeries

11/11/2003

Version 1.2

kernel source must be installed from service pack.

Further clarify perl-Expect on eSeries.

11/12/2003

Version 1.3

Further clarify location of perl-Expect modules.

11/17/2003

Version 1.4

Updated LauS expected results.

11/18/2003

Version 1.5

Documented close failure in I and p Series.

Documented simplified test build/run from test root directory.

Added note about running gcov on zSeries.

11/20/2003

Version 1.6

Added augrep commands to be executed for manual login tests.

Added OpenSSL Interoperability Test.

11/24/2003

Version 1.7

Documented OpenSSL TDES interoperability failure.

12/01/2003

Version 1.8

Removed Opera as a valid browser for OpenSSL test.

Document mount02 failure for zSeries.

Removed mingetty manual tests for iSeries and zSeries.

12/01/2003

Version 1.9

Documented faillog errors.


Overview

Purpose

The purpose of the Security Function Verification test is to demonstrate the correct operation of security functions identified in the SuSE Linux Enterprise Server V8 (SLES8) Security Target for EAL3. The term “correct operation” is defined to include appropriate failures for unauthorized or invalid access to security functions.

Scope

The test cases identified in this test plan are limited to those areas that enforce the secure operation of SLES8. Furthermore, only features and functions contained in the SLES8 Security Target for EAL3 are addressed. Test cases are designed to verify the correct operation of security related user programs, databases (files), and system calls. Testing for system availability in a stress environment is beyond the scope of this plan.

Environment

The following hardware and software will be used:

Hardware

Linux Distros

Version

Additional Software

IBM xSeries – Model x335

SuSE Linux Enterprise Server

V8 SP3

see Installation of Test Environment

IBM zSeries – Model z900

SuSE Linux Enterprise Server

V8 SP3

see Installation of Test Environment

IBM iSeries – Model 825 machine type 9406

SuSE Linux Enterprise Server

V8 SP3

see Installation of Test Environment

IBM pSeries – Model 630

SuSE Linux Enterprise Server

V8 SP3

see Installation of Test Environment

IBM eServer 325

SuSE Linux Enterprise Server

V8 SP3

see Installation of Test Environment

Serial Terminal (or PC with Terminal Emulation)

N/A

N/A

o The list of required packages, as well as configuration details will be provided by the EAL 3 evaluation security guide. The setup of the test machine(s) must conform strictly with the instructions and configuration details described in theEAL 3 Evaluation Security Guide/usr/share/doc/packages/certification-sles-eal3/SLES-security-guide.{ txt|html|pdf|man } .

o The IBM xSeries Model x335 will be tested using both the k_deflt and the k_smp SLES8 kernels.


Assumptions and Dependencies

Assumptions

Dependencies


Test Approach and Methodology

Function Tests

LAuS Tests

OpenSSL Tests

Internal Interfaces


Installation of Test Environment

The following packages should be added through YaST2, including dependencies added automatically (verified through 'rpmqpack' output):

Note: The perl-Expect, perl-IO-Tty, and perl-IO-Stty rpms may be found on the Supplementary CDs for PPC and s390 platforms.

After installation of the kernel source, the following commands must be executed from the /usr/src/linux directory:

Install perl expect for xSeries and eSeries

For internet connected host

#Enter the following command:

perl -MCPAN -e shell

#Answer “no” to the following prompt::

Are you ready for manual configuration ? [yes] no

#At the cpan prompt run the “install Expect”n command:

cpan >install Expect

#Answer “yes” to the following prompt:

Shall I follow then and prepend to the queue of modules

we are processing right now? [yes] yes

#Quit the program

cpan >quit

For non-internet connected host

# Download the required files on an Internet-connected machine:

wgethttp://www.cpan.org/authors/id/R/RG/RGIERSIG/IO-Tty-1.02.tar.gz

wgethttp://www.cpan.org/authors/id/R/RG/RGIERSIG/Expect-1.15.tar.gz

# Transfer the files to the target machine, and run the following to

# install the Perl modules:

for f in IO-Tty*tar.gz Expect*tar.gz; do (

gzip -dc "$f" | tar xf -

cd `basename "$f" .tar.gz`

perl Makefile.PL

make && make install

cd -

) done


Target of Evaluation (TOE) Compliance

The additional packages required for the test environment are all permitted according to the Security Guide ("Reviewing the system configuration"). There are no configuration violations such as setuid/setgid binaries, daemons, startup scripts or other prohibited changes. After installation of the test environment, the system remains compliant with the TOE.

Although the gcov instrumented kernels are modified versions of the TOE, all automated tests will be re-run to verify behavior is identical to the TOE. The data produced by gcov will only be used to verify that internal interfaces have been covered by the EAL3 test suites.


Test Execution

NOTES

o For the LAuS tests, in order to verify the login uid in the audit records is set appropriately and is not simply an uninitialized value of 0, the tester should create a test user. Prior to executing the LAuS tests, login as the test user and su to root.

o Some tests may leave the machine in an inconsistent state and cause the cron or at tests to fail. To avoid these spurious cron/at failures, the test host must be rebooted before attempting to run the test suite again.

o All tests are assumed to be running as root user.

Installation of Testcases

Running All Automated Testcases

The set of automated tests is comprised of 5 separate suites: at_test_EAL, ext3_ACLs_tests, laus_test, ltp_EAL2, ltp_OpenSSL. Instructions for running each individual suite are provided in the following sections. However, it is possible to run the entire set of tests from the test root directory by following the instructions below.

A summary run.log file will be created in the test root directory. More detailed output will be located in the test suite directory in the <suite_name>. run.log file.

LTP Compliant Testcases

At Testcase (standalone)

ACL Testcases (standalone)

OpenSSL Tests

LAuS Tests

Internal Interfaces

Manual Tests


System Test Entry Criteria


System Test Exit Criteria


Problem Reporting and Tracking


Test Case Information

Test Tools

Security Function/Test Case Mapping


Appendix A

Execution Plan

This is the tentative Execution Plan for SLES8 EAL3 security function verification. This portion of the plan will be updated with actual dates as the product is under test. This document will be the best source to determine in what state the product test is in. It is important to also list key milestones or checkpoints so others will be able to determine how the project is going.



Environment/Checkpoint

Test Cases

Plan Test Start

Actual Test Start

Plan Test Completion

Actual Completion

Begin System Test

All

11/01/2003

11/15/2003


Appendix B

Manual Tests

login (not valid for iSeries or zSeries)

o From the console, attempt to login as root with an invalid password (login should fail)

o Attempt to login with invalid (non-existing) username. (login should fail)

o Attempt to login as root with valid password. (login should succeed)

o Execute “id” command and verify identity (i.e. uid=0)

o Execute “faillog” command and verify invalid login attempts were recorded.

o Execute “lastlog” command and verify root user login date/time is correct.

o Verify libpam audit record for failed login attempt by executing “ augrep –e TEXT –U AUTH_failure”.

o [AUTH_failure] PAM authentication: user=<username> (hostname=<hostname>, addr=xx.xx.xx.xx, terminal=<terminal>)

o Verify libpam audit record for successful login attempt by executing “ augrep –e TEXT –U AUTH_success”.

o [AUTH_success] PAM authentication: user=<username> (hostname=<hostname>, addr=xx.xx.xx.xx, terminal=<terminal>)

o Verify pam_laus audit record for successful login attempt by executing “ augrep –e LOGIN”.

o [AUDIT_login] LOGIN: uid=<uid>, hostname=<hostname>, address=xx.xx.xx.xx, terminal=<terminal>, executable=<executable>

/etc/securetty, /sbin/agetty, (not valid for iSeries or zSeries)

o Connect serial terminal to target of evaluation.

o Add the following line to /etc/inittab

o S0:2345:respawn:/sbin/agetty –L 9600 ttyS0

o Reboot machine (optionally change init level or run “init q”h ).

o Verify “root” is denied login access from the serial terminal.

o Add “ttyS0” to the /etc/securetty file.

o Verify “root” is allowed login access from the serial terminal.

/etc/inittab & /sbin/init

o Add the following line to /etc/inittab

o TEAL:2345:respawn:/bin/sleep 300

o Reboot machine (optionally change init level or run “init q”h ).

o Verify the sleep process is running (ps – ef | grep “/bin/sleep 300”) .

o Remove line from /etc/inittab.

o Reboot machine (or change init level).

o Verify the sleep process is not running.

/sbin/mingetty (not valid for iSeries or zSeries)

o Open a virtual console using Cntrl-Alt-Fn, where n is 1-6.

o Attempt to login as root with an invalid password. The login operation should fail.

o Attempt to login as root with a valid operation. The login operation should be successful.

o Execute “w” command.

o Verify TTY is correct (i.e. ttyn).

o Verify USER is “root”.

o Verify LOGIN@ time is correct (i.e. current time).

mount

o cd to ltp_EAL2/testcases/bin subdirectory (for example /test_EAL2/ltp_EAL2/testcases/bin).

o Run “./mount01 –D /dev/...” (where /dev/… is an umounted block device)

o Run “./mount02 –D /dev/...”

o Run “./mount03 –D /dev/...”

o Run “./mount04 –D /dev/...”

Note: On zSeries, test case failures are expected due to differences in errno values. Tests 8 and 9 expect errno 14 (EFAULT) but receive errno 19 (ENODEV) and 22 (EINVAL) respectively. The difference in errno values does not pose any security problems.

amtu

o Run “amtu –m”.

o Run “amtu –s”.

o Run “amtu –i”.

o Run “amtu –n”.

o Run “amtu –p”.

o Run “augrep –e TEXT –X amtu”

o Verify an audit record exists for each amtu command.

/etc/init.d/audit

o Verify auditd or auditd64 is not running.

o Save /etc/audit/filter.conf.

o Run “echo ‘event user-message = always;’ > /etc/audit/filter.conf”

o Run “ /etc/init.d/audit start”.

o Run “augrep –e TEXT” and verify [AUDIT_start] record is created.

o Run “ /etc/init.d/audit status”.

o Verify “running” status is displayed

o Run “ /etc/init.d/audit restart”.

o Run “augrep –e TEXT” and verify [AUDIT_stop] and [AUDIT_start] records are created.

o Run “ /etc/init.d/audit try-restart”.

o Run “augrep –e TEXT” and verify [AUDIT_stop] and [AUDIT_start] records are created.

o Run “echo 2 > /proc/sys/dev/audit/debug”.

o Run “ /etc/init.d/audit reload”.

o Run “dmesg” and verify “auditf_read: called” is displayed.

o Run “ /etc/init.d/audit force-reload”.

o Run “dmesg” and verify “auditf_read: called” is displayed a second time.

o Run “echo 0 > /proc/sys/dev/audit/debug”.

o Run “ /etc/init.d/audit stop”.

o Run “augrep –e TEXT” and verify [AUDIT_stop] record is created.

o Restore original /etc/audit/filter.conf file.

aurun

o Remove reference to pam_laus.so from /etc/pam.d/sshd if it exists.

o ssh to test machine (the user will not be attached to LAuS).

o If not root, su to root.

o cd to laus_tests/audit_tools.

o If not already built, run “make”.

o Run “aurun make run”.

o All tests should report PASS which verifies aurun correctly attached to LAuS.

OpenSSL Interoperability Tests


	stunnel
	-D7 -C RC4-SHA \
	-d 443 -g nogroup -s nobody \
	-l /bin/sh -- sh -c "

	dd
	bs=65536 count=1 >/dev/null 2>&1;
	echo 'HTTP/1.0 200 OK';
	echo 'Content-Type: text/html';
	echo;
	echo '<h1>Hello World</h1><pre>';
	free;
	echo '</pre>'
	"
	stunnel -D7 -C DES-CBC3-SHA \


	-d 443 -g nogroup -s nobody \
	-l /bin/sh -- sh -c "

	dd
	bs=65536 count=1 >/dev/null 2>&1;
	echo 'HTTP/1.0 200 OK';
	echo 'Content-Type: text/html';
	echo;
	echo '<h1>Hello World</h1><pre>';
	free;
	echo '</pre>'
	"


Appendix C

LAuS syscall Expected Results

xSeries

o PASSED: 1194

o FAILED: 2

o msgrcv 2 – SuSE bugzilla 32324 (aucat/augrep are not affected).

o SKIPPED: 20

o brk 4 – fail case N/A.

o exit 4 – fail case N/A.

o fork 4 – fail case N/A.

o umask 4 – fail case N/A.

o vfork 4 – fail case N/A.

pSeries

o PASSED: 926

o FAILED: 2

o close 2 – close audit record does not contain filename.

o SKIPPED: 24

o brk 4 – fail case N/A.

o exit 4 – fail case N/A.

o fork 4 – fail case N/A.

o umask 4 – fail case N/A.

o vfork 4 – fail case N/A.

o uselib 4 – success case N/A.

iSeries

o PASSED: 926

o FAILED: 2

o close 2 – close audit record does not contain filename.

o SKIPPED: 24

o brk 4 – fail case N/A.

o exit 4 – fail case N/A.

o fork 4 – fail case N/A.

o umask 4 – fail case N/A.

o vfork 4 – fail case N/A.

o uselib 4 – success case N/A.

zSeries

o PASSED: 1110

o FAILED: 54 (SuSE bugzilla tickets 30277, 32324)

o ftruncate 2 – SuSE bugzilla 30277 (sign extension)

o setregid 4 – SuSE bugzilla 30277 (sign extension)

o setregid16 4 – SuSE bugzilla 30277 (sign extension)

o setregid32 4 – SuSE bugzilla 30277 (sign extension)

o setresgid 4 – SuSE bugzilla 30277 (sign extension)

o setresgid16 4 – SuSE bugzilla 30277 (sign extension)

o setresgid32 4 – SuSE bugzilla 30277 (sign extension)

o setresuid 4 – SuSE bugzilla 30277 (sign extension)

o setresuid16 4 – SuSE bugzilla 30277 (sign extension)

o setresuid32 4 – SuSE bugzilla 30277 (sign extension)

o setreuid 4 – SuSE bugzilla 30277 (sign extension)

o setreuid16 4 – SuSE bugzilla 30277 (sign extension)

o setreuid32 4 – SuSE bugzilla 30277 (sign extension)

o truncate 2 – SuSE bugzilla 30277 (sign extension)

o msgrcv 2 – SuSE bugzilla 32324 (aucat/augrep are not affected).

o

o SKIPPED: 28

o brk 4 – fail case N/A.

o clone 4 – CLONE_PID has known issues. No other easy way to cause a failure.

o exit 4 – fail case N/A.

o fork 4 – fail case N/A.

o umask 4 – fail case N/A.

o vfork 4 – fail case N/A.

o uselib 4 – success case N/A.

eServer 325

o PASSED: 886

o FAILED: 18

o setregid 4 – SuSE bugzilla 31058 (sign extension)

o setresgid 4 – SuSE bugzilla 31058 (sign extension)

o setresuid 4 – SuSE bugzilla 31058 (sign extension)

o setreuid 4 – SuSE bugzilla 31058 (sign extension)

o msgrcv 2 – SuSE bugzilla 32324 (aucat/augrep are not affected).

o

o SKIPPED: 24

o brk 4 – fail case N/A.

o exit 4 – fail case N/A.

o fork 4 – fail case N/A.

o umask 4 – fail case N/A.

o vfork 4 – fail case N/A.

o uselib 4 – success case N/A.

Other Known Failures

login (manual test) – The faillog portion of the login test does not work as described. Failed login attempts are recorded by the audit subsystem.

mount02 (manual test) – On zSeries, test case failures are expected due to differences in errno values. Tests 8 and 9 expect errno 14 (EFAULT) but receive errno 19 (ENODEV) and 22 (EINVAL) respectively. The difference in errno values does not pose any security problems.

OpenSSL Interoperability Test – The test using the TDES cipher with OpenSSL is expected to fail due to interoperability problems.


End of Document


Owner: Daniel H. Jones


Sourceforge.net  Last modified on: August 02, 2006 - 17:13:58 UTC.
Theme: