From 871df6e34bb754bf3c54fbca503b2acfc6e6c5d1 Mon Sep 17 00:00:00 2001 From: nekral-guest Date: Tue, 26 Jul 2011 15:33:12 +0000 Subject: Added tests for faillog. --- tests/log/faillog/21_faillog-r-u_range/config.txt | 1 + .../faillog/21_faillog-r-u_range/config/etc/group | 42 ++++++++ .../21_faillog-r-u_range/config/etc/gshadow | 42 ++++++++ .../21_faillog-r-u_range/config/etc/pam.d/login | 111 +++++++++++++++++++++ .../faillog/21_faillog-r-u_range/config/etc/passwd | 22 ++++ .../faillog/21_faillog-r-u_range/config/etc/shadow | 22 ++++ .../faillog/21_faillog-r-u_range/data/faillog.list | 5 + .../log/faillog/21_faillog-r-u_range/faillog.test | 56 +++++++++++ tests/log/faillog/21_faillog-r-u_range/login.exp | 26 +++++ 9 files changed, 327 insertions(+) create mode 100644 tests/log/faillog/21_faillog-r-u_range/config.txt create mode 100644 tests/log/faillog/21_faillog-r-u_range/config/etc/group create mode 100644 tests/log/faillog/21_faillog-r-u_range/config/etc/gshadow create mode 100644 tests/log/faillog/21_faillog-r-u_range/config/etc/pam.d/login create mode 100644 tests/log/faillog/21_faillog-r-u_range/config/etc/passwd create mode 100644 tests/log/faillog/21_faillog-r-u_range/config/etc/shadow create mode 100644 tests/log/faillog/21_faillog-r-u_range/data/faillog.list create mode 100755 tests/log/faillog/21_faillog-r-u_range/faillog.test create mode 100755 tests/log/faillog/21_faillog-r-u_range/login.exp (limited to 'tests/log/faillog/21_faillog-r-u_range') diff --git a/tests/log/faillog/21_faillog-r-u_range/config.txt b/tests/log/faillog/21_faillog-r-u_range/config.txt new file mode 100644 index 00000000..1a78b6cd --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/21_faillog-r-u_range/config/etc/group b/tests/log/faillog/21_faillog-r-u_range/config/etc/group new file mode 100644 index 00000000..b6fae894 --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/21_faillog-r-u_range/config/etc/gshadow b/tests/log/faillog/21_faillog-r-u_range/config/etc/gshadow new file mode 100644 index 00000000..1f2ba8da --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/21_faillog-r-u_range/config/etc/pam.d/login b/tests/log/faillog/21_faillog-r-u_range/config/etc/pam.d/login new file mode 100644 index 00000000..54f888d5 --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/21_faillog-r-u_range/config/etc/passwd b/tests/log/faillog/21_faillog-r-u_range/config/etc/passwd new file mode 100644 index 00000000..9d34d3af --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/21_faillog-r-u_range/config/etc/shadow b/tests/log/faillog/21_faillog-r-u_range/config/etc/shadow new file mode 100644 index 00000000..52721ac3 --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/21_faillog-r-u_range/data/faillog.list b/tests/log/faillog/21_faillog-r-u_range/data/faillog.list new file mode 100644 index 00000000..fd0df36b --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 0 0 +foo 0 0 +baz 1 0 diff --git a/tests/log/faillog/21_faillog-r-u_range/faillog.test b/tests/log/faillog/21_faillog-r-u_range/faillog.test new file mode 100755 index 00000000..1b893581 --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/faillog.test @@ -0,0 +1,56 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset users (faillog -r -u 1000-1001)..." +faillog -r -u 1000-1001 +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/21_faillog-r-u_range/login.exp b/tests/log/faillog/21_faillog-r-u_range/login.exp new file mode 100755 index 00000000..5df09032 --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 -- cgit v1.2.1