X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Ftest_engine.py;h=dce10390aa1502607fdd63ab90019cb1447ef6db;hb=e2ecf1ab64d1f4193eddff47df362afce2385c09;hp=0b3fca945cc108d5fa045d23390f0a666e6a8e3d;hpb=d58e674ecffe074f5210aa7300114f3fb97ed0d1;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/test_engine.py b/kconfig_hardened_check/test_engine.py index 0b3fca9..dce1039 100644 --- a/kconfig_hardened_check/test_engine.py +++ b/kconfig_hardened_check/test_engine.py @@ -1,9 +1,7 @@ #!/usr/bin/python3 """ -This tool helps me to check Linux kernel options against -my security hardening preferences for X86_64, ARM64, X86_32, and ARM. -Let the computers do their job! +This tool is for checking the security hardening options of the Linux kernel. Author: Alexander Popov @@ -17,7 +15,7 @@ import io import sys from collections import OrderedDict import json -from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND, populate_with_data, perform_checks +from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND, populate_with_data, perform_checks, override_expected_value class TestEngine(unittest.TestCase): @@ -28,6 +26,7 @@ class TestEngine(unittest.TestCase): config_checklist = [] config_checklist += [KconfigCheck('reason_1', 'decision_1', 'KCONFIG_NAME', 'expected_1')] config_checklist += [CmdlineCheck('reason_2', 'decision_2', 'cmdline_name', 'expected_2')] + config_checklist += [SysctlCheck('reason_3', 'decision_3', 'sysctl_name', 'expected_3')] # 2. prepare the parsed kconfig options parsed_kconfig_options = OrderedDict() @@ -37,25 +36,31 @@ class TestEngine(unittest.TestCase): parsed_cmdline_options = OrderedDict() parsed_cmdline_options['cmdline_name'] = 'expected_2' - # 4. prepare the kernel version + # 4. prepare the parsed sysctl options + parsed_sysctl_options = OrderedDict() + parsed_sysctl_options['sysctl_name'] = 'expected_3' + + # 5. prepare the kernel version kernel_version = (42, 43) - # 5. run the engine - self.run_engine(config_checklist, parsed_kconfig_options, parsed_cmdline_options, kernel_version) + # 6. run the engine + self.run_engine(config_checklist, parsed_kconfig_options, parsed_cmdline_options, parsed_sysctl_options, kernel_version) - # 6. check that the results are correct + # 7. check that the results are correct result = [] self.get_engine_result(config_checklist, result, 'json') self.assertEqual(... """ @staticmethod - def run_engine(checklist, parsed_kconfig_options, parsed_cmdline_options, kernel_version): + def run_engine(checklist, parsed_kconfig_options, parsed_cmdline_options, parsed_sysctl_options, kernel_version): # populate the checklist with data if parsed_kconfig_options: populate_with_data(checklist, parsed_kconfig_options, 'kconfig') if parsed_cmdline_options: populate_with_data(checklist, parsed_cmdline_options, 'cmdline') + if parsed_sysctl_options: + populate_with_data(checklist, parsed_sysctl_options, 'sysctl') if kernel_version: populate_with_data(checklist, kernel_version, 'version') @@ -98,7 +103,7 @@ class TestEngine(unittest.TestCase): sys.stdout = stdout_backup result.append(captured_output.getvalue()) - def test_single_kconfig(self): + def test_simple_kconfig(self): # 1. prepare the checklist config_checklist = [] config_checklist += [KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1')] @@ -122,7 +127,7 @@ class TestEngine(unittest.TestCase): parsed_kconfig_options['CONFIG_NAME_9'] = '0' # 3. run the engine - self.run_engine(config_checklist, parsed_kconfig_options, None, None) + self.run_engine(config_checklist, parsed_kconfig_options, None, None, None) # 4. check that the results are correct result = [] @@ -141,7 +146,7 @@ class TestEngine(unittest.TestCase): ["CONFIG_NAME_10", "kconfig", "is not off", "decision_10", "reason_10", "FAIL: is off, not found"]] ) - def test_single_cmdline(self): + def test_simple_cmdline(self): # 1. prepare the checklist config_checklist = [] config_checklist += [CmdlineCheck('reason_1', 'decision_1', 'name_1', 'expected_1')] @@ -165,7 +170,7 @@ class TestEngine(unittest.TestCase): parsed_cmdline_options['name_9'] = '0' # 3. run the engine - self.run_engine(config_checklist, None, parsed_cmdline_options, None) + self.run_engine(config_checklist, None, parsed_cmdline_options, None, None) # 4. check that the results are correct result = [] @@ -184,7 +189,50 @@ class TestEngine(unittest.TestCase): ["name_10", "cmdline", "is not off", "decision_10", "reason_10", "FAIL: is off, not found"]] ) - def test_OR(self): + def test_simple_sysctl(self): + # 1. prepare the checklist + config_checklist = [] + config_checklist += [SysctlCheck('reason_1', 'decision_1', 'name_1', 'expected_1')] + config_checklist += [SysctlCheck('reason_2', 'decision_2', 'name_2', 'expected_2')] + config_checklist += [SysctlCheck('reason_3', 'decision_3', 'name_3', 'expected_3')] + config_checklist += [SysctlCheck('reason_4', 'decision_4', 'name_4', 'is not set')] + config_checklist += [SysctlCheck('reason_5', 'decision_5', 'name_5', 'is present')] + config_checklist += [SysctlCheck('reason_6', 'decision_6', 'name_6', 'is present')] + config_checklist += [SysctlCheck('reason_7', 'decision_7', 'name_7', 'is not off')] + config_checklist += [SysctlCheck('reason_8', 'decision_8', 'name_8', 'is not off')] + config_checklist += [SysctlCheck('reason_9', 'decision_9', 'name_9', 'is not off')] + config_checklist += [SysctlCheck('reason_10', 'decision_10', 'name_10', 'is not off')] + + # 2. prepare the parsed sysctl options + parsed_sysctl_options = OrderedDict() + parsed_sysctl_options['name_1'] = 'expected_1' + parsed_sysctl_options['name_2'] = 'UNexpected_2' + parsed_sysctl_options['name_5'] = '' + parsed_sysctl_options['name_7'] = '' + parsed_sysctl_options['name_8'] = 'off' + parsed_sysctl_options['name_9'] = '0' + + # 3. run the engine + self.run_engine(config_checklist, None, None, parsed_sysctl_options, None) + + # 4. check that the results are correct + result = [] + self.get_engine_result(config_checklist, result, 'json') + self.assertEqual( + result, + [["name_1", "sysctl", "expected_1", "decision_1", "reason_1", "OK"], + ["name_2", "sysctl", "expected_2", "decision_2", "reason_2", "FAIL: \"UNexpected_2\""], + ["name_3", "sysctl", "expected_3", "decision_3", "reason_3", "FAIL: is not found"], + ["name_4", "sysctl", "is not set", "decision_4", "reason_4", "OK: is not found"], + ["name_5", "sysctl", "is present", "decision_5", "reason_5", "OK: is present"], + ["name_6", "sysctl", "is present", "decision_6", "reason_6", "FAIL: is not present"], + ["name_7", "sysctl", "is not off", "decision_7", "reason_7", "OK: is not off, \"\""], + ["name_8", "sysctl", "is not off", "decision_8", "reason_8", "FAIL: is off"], + ["name_9", "sysctl", "is not off", "decision_9", "reason_9", "FAIL: is off, \"0\""], + ["name_10", "sysctl", "is not off", "decision_10", "reason_10", "FAIL: is off, not found"]] + ) + + def test_complex_or(self): # 1. prepare the checklist config_checklist = [] config_checklist += [OR(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'), @@ -212,7 +260,7 @@ class TestEngine(unittest.TestCase): parsed_kconfig_options['CONFIG_NAME_11'] = 'really_not_off' # 3. run the engine - self.run_engine(config_checklist, parsed_kconfig_options, None, None) + self.run_engine(config_checklist, parsed_kconfig_options, None, None, None) # 4. check that the results are correct result = [] @@ -227,7 +275,7 @@ class TestEngine(unittest.TestCase): ["CONFIG_NAME_10", "kconfig", "expected_10", "decision_10", "reason_10", "OK: CONFIG_NAME_11 is not off"]] ) - def test_AND(self): + def test_complex_and(self): # 1. prepare the checklist config_checklist = [] config_checklist += [AND(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'), @@ -257,7 +305,7 @@ class TestEngine(unittest.TestCase): parsed_kconfig_options['CONFIG_NAME_12'] = 'expected_12' # 3. run the engine - self.run_engine(config_checklist, parsed_kconfig_options, None, None) + self.run_engine(config_checklist, parsed_kconfig_options, None, None, None) # 4. check that the results are correct result = [] @@ -293,7 +341,7 @@ class TestEngine(unittest.TestCase): kernel_version = (42, 43) # 4. run the engine - self.run_engine(config_checklist, parsed_kconfig_options, None, kernel_version) + self.run_engine(config_checklist, parsed_kconfig_options, None, None, kernel_version) # 5. check that the results are correct result = [] @@ -306,30 +354,46 @@ class TestEngine(unittest.TestCase): ["CONFIG_NAME_4", "kconfig", "expected_4", "decision_4", "reason_4", "OK: version >= 42.43"]] ) - def test_verbose(self): + def test_stdout(self): # 1. prepare the checklist config_checklist = [] config_checklist += [OR(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'), AND(CmdlineCheck('reason_2', 'decision_2', 'name_2', 'expected_2'), - KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3')))] + SysctlCheck('reason_3', 'decision_3', 'name_3', 'expected_3')))] config_checklist += [AND(CmdlineCheck('reason_4', 'decision_4', 'name_4', 'expected_4'), OR(KconfigCheck('reason_5', 'decision_5', 'NAME_5', 'expected_5'), - CmdlineCheck('reason_6', 'decision_6', 'name_6', 'expected_6')))] + SysctlCheck('reason_6', 'decision_6', 'name_6', 'expected_6')))] - # 2. prepare the parsed kconfig options - parsed_kconfig_options = OrderedDict() - parsed_kconfig_options['CONFIG_NAME_5'] = 'expected_5' + # 2. prepare the parsed cmdline options + parsed_cmdline_options = OrderedDict() + parsed_cmdline_options['name_4'] = 'expected_4' - # 3. run the engine - self.run_engine(config_checklist, parsed_kconfig_options, None, None) + # 3. prepare the parsed sysctl options + parsed_sysctl_options = OrderedDict() + parsed_sysctl_options['name_3'] = 'UNexpected_3' + parsed_sysctl_options['name_6'] = 'UNexpected_6' - # 4. check that the results are correct + # 4. run the engine + self.run_engine(config_checklist, None, parsed_cmdline_options, parsed_sysctl_options, None) + + # 5. check that the results are correct json_result = [] self.get_engine_result(config_checklist, json_result, 'json') self.assertEqual( json_result, [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "FAIL: is not found"], - ["name_4", "cmdline", "expected_4", "decision_4", "reason_4", "FAIL: is not found"]] + ["name_4", "cmdline", "expected_4", "decision_4", "reason_4", "FAIL: CONFIG_NAME_5 is not \"expected_5\""]] + ) + + stdout_result = [] + self.get_engine_result(config_checklist, stdout_result, 'stdout') + self.assertEqual( + stdout_result, + [ +"\ +CONFIG_NAME_1 |kconfig| expected_1 |decision_1| reason_1 | FAIL: is not found\ +name_4 |cmdline| expected_4 |decision_4| reason_4 | FAIL: CONFIG_NAME_5 is not \"expected_5\"\ +" ] ) stdout_result = [] @@ -340,15 +404,89 @@ class TestEngine(unittest.TestCase): "\ <<< OR >>> | FAIL: is not found\n\ CONFIG_NAME_1 |kconfig| expected_1 |decision_1| reason_1 | FAIL: is not found\n\ - <<< AND >>> | FAIL: CONFIG_NAME_3 is not \"expected_3\"\n\ + <<< AND >>> | FAIL: name_3 is not \"expected_3\"\n\ name_2 |cmdline| expected_2 |decision_2| reason_2 | None\n\ -CONFIG_NAME_3 |kconfig| expected_3 |decision_3| reason_3 | FAIL: is not found\ +name_3 |sysctl | expected_3 |decision_3| reason_3 | FAIL: \"UNexpected_3\"\ "\ "\ - <<< AND >>> | FAIL: is not found\n\ -name_4 |cmdline| expected_4 |decision_4| reason_4 | FAIL: is not found\n\ - <<< OR >>> | OK\n\ -CONFIG_NAME_5 |kconfig| expected_5 |decision_5| reason_5 | OK\n\ -name_6 |cmdline| expected_6 |decision_6| reason_6 | None\ + <<< AND >>> | FAIL: CONFIG_NAME_5 is not \"expected_5\"\n\ +name_4 |cmdline| expected_4 |decision_4| reason_4 | None\n\ + <<< OR >>> | FAIL: is not found\n\ +CONFIG_NAME_5 |kconfig| expected_5 |decision_5| reason_5 | FAIL: is not found\n\ +name_6 |sysctl | expected_6 |decision_6| reason_6 | FAIL: \"UNexpected_6\"\ " ] ) + + def test_value_overriding(self): + # 1. prepare the checklist + config_checklist = [] + config_checklist += [KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1')] + config_checklist += [CmdlineCheck('reason_2', 'decision_2', 'name_2', 'expected_2')] + config_checklist += [SysctlCheck('reason_3', 'decision_3', 'name_3', 'expected_3')] + + # 2. prepare the parsed kconfig options + parsed_kconfig_options = OrderedDict() + parsed_kconfig_options['CONFIG_NAME_1'] = 'expected_1_new' + + # 3. prepare the parsed cmdline options + parsed_cmdline_options = OrderedDict() + parsed_cmdline_options['name_2'] = 'expected_2_new' + + # 4. prepare the parsed sysctl options + parsed_sysctl_options = OrderedDict() + parsed_sysctl_options['name_3'] = 'expected_3_new' + + # 5. run the engine + self.run_engine(config_checklist, parsed_kconfig_options, parsed_cmdline_options, parsed_sysctl_options, None) + + # 6. check that the results are correct + result = [] + self.get_engine_result(config_checklist, result, 'json') + self.assertEqual( + result, + [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "FAIL: \"expected_1_new\""], + ["name_2", "cmdline", "expected_2", "decision_2", "reason_2", "FAIL: \"expected_2_new\""], + ["name_3", "sysctl", "expected_3", "decision_3", "reason_3", "FAIL: \"expected_3_new\""]] + ) + + # 7. override expected value and perform the checks again + override_expected_value(config_checklist, "CONFIG_NAME_1", "expected_1_new") + perform_checks(config_checklist) + + # 8. check that the results are correct + result = [] + self.get_engine_result(config_checklist, result, 'json') + self.assertEqual( + result, + [["CONFIG_NAME_1", "kconfig", "expected_1_new", "decision_1", "reason_1", "OK"], + ["name_2", "cmdline", "expected_2", "decision_2", "reason_2", "FAIL: \"expected_2_new\""], + ["name_3", "sysctl", "expected_3", "decision_3", "reason_3", "FAIL: \"expected_3_new\""]] + ) + + # 9. override expected value and perform the checks again + override_expected_value(config_checklist, "name_2", "expected_2_new") + perform_checks(config_checklist) + + # 10. check that the results are correct + result = [] + self.get_engine_result(config_checklist, result, 'json') + self.assertEqual( + result, + [["CONFIG_NAME_1", "kconfig", "expected_1_new", "decision_1", "reason_1", "OK"], + ["name_2", "cmdline", "expected_2_new", "decision_2", "reason_2", "OK"], + ["name_3", "sysctl", "expected_3", "decision_3", "reason_3", "FAIL: \"expected_3_new\""]] + ) + + # 11. override expected value and perform the checks again + override_expected_value(config_checklist, "name_3", "expected_3_new") + perform_checks(config_checklist) + + # 12. check that the results are correct + result = [] + self.get_engine_result(config_checklist, result, 'json') + self.assertEqual( + result, + [["CONFIG_NAME_1", "kconfig", "expected_1_new", "decision_1", "reason_1", "OK"], + ["name_2", "cmdline", "expected_2_new", "decision_2", "reason_2", "OK"], + ["name_3", "sysctl", "expected_3_new", "decision_3", "reason_3", "OK"]] + )