rpms/amtu
Archived
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

AMTU was needed for Common Criteria testing. No PP has needed it in about 5 years. Upstream for the package is also dead.

Browse source
This commit is contained in:
sgrubb 2014-05-30 16:29:34 -04:00
commit 8e462d1068
7 changed files with 1 additions and 469 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.gitignore vendored
View file

@ -1,10 +0,0 @@
amtu-0.1.tar.gz
amtu-1.0.tar.gz
amtu-1.0.1.tar.gz
amtu-1.0.2.tar.gz
amtu-1.0.3.tar.gz
amtu-1.0.4.tar.gz
amtu-1.0.5-1.tar.gz
amtu-1.0.6.tar.gz
amtu-1.0.7.tar.gz
amtu-1.0.8.tar.gz

117
amtu-1.0.8-doc.patch
View file

@ -1,117 +0,0 @@
diff -urN amtu-1.0.8.orig/doc/AMTUHowTo.txt amtu-1.0.8/doc/AMTUHowTo.txt
--- amtu-1.0.8.orig/doc/AMTUHowTo.txt 1969-12-31 19:00:00.000000000 -0500
+++ amtu-1.0.8/doc/AMTUHowTo.txt 2009-07-06 10:20:42.000000000 -0400
@@ -0,0 +1,105 @@
+ABSTRACT MACHINE TEST UTILITY HOWTO
+
+
+OVERVIEW
+
+Abstract Machine Test Utility (AMTU) is an administrative utility to check
+whether the underlying protection mechanism of the hardware are still being
+enforced. This is a requirement of the Controlled Access Protection Profile
+(CAPP) FTP_AMT.1, see http://www.radium.ncsc.mil/tpep/library/protection_profiles/CAPP-1.d.pdf.
+AMTU executes the following tests:
+
+* Memory
+
+Randomly writes to areas of memory and then reading the memory back to
+ensure the values written remain unchanged.
+
+* Memory Separation
+
+Ensures that user space programs cannot read and write to areas of memory
+utilized by the likes of Video RAM, kernel code, etc.
+
+* I/O Controller - Network
+
+Verifies random data transmitted is also the data received for each configured
+network device. Only ethernet and token ring devices that are configured and
+up are checked. Async devices are not checked.
+
+* I/O Controller - Disk
+
+Verifies that information written to disks remains unchanged. Only SCSI and IDE
+controllers associated with mounted filesystems are checked.
+
+* Supervisor Mode Instructions
+
+Ensures that the enforcement of the property that privileged instructions
+should only be in supervisor mode is still in effect. The set privileged
+instructions tested to confirm this is architecture dependant.
+
+
+
+TESTED VERSIONS
+
+AMTU has been tested on the following:
+
+* RHEL4 and 5
+* SuSE SLES 8
+* pSeries (32-bit and 64-bit)
+* iSeries (64-bit)
+* zSeries (31-bit)
+* xSeries (32-bit)
+
+
+
+INSTALLING AMTU
+
+VERIFYING SYSTEM REQUIREMENTS AND PREREQUISITES
+
+Before installing AMTU, verify that your system meets the following
+requirements and prerequisites:
+
+* The system is running in the Common Criteria evaluated configuration.
+
+
+COMPILING AND INSTALLING AMTU
+
+Untar the AMTU source tarball. Then issue the following commands:
+ ./bootstrap
+ ./configure
+ make
+ make install
+
+Only the last step must be run as root. During the ./configure stage
+you may opt to change various options including default install directory.
+
+When compiling AMTU as a 64-bit application on a PPC64 architecture (with the
+exception of Squadron pSeries), specify
+
+ ./configure CC=/opt/cross/bin/powerpc64-linux-gcc
+
+where /opt/cross/bin/powerpc64-linux-gcc is the 64-bit gcc compiler.
+
+To compile as a 64-bit application on X86_64 architecture or Squadron pSeries,
+
+ ./configure CC="gcc -m64"
+
+
+
+RUNNING AMTU
+
+AMTU installs to /usr/bin/amtu by default. You can add optional command line
+arguments (see the AMTU man page (amtu.8) for more details).
+
+
+
+INTERPRETING RESULTS
+
+AMTU issues the following return codes when executed:
+
+ * -1 - Program abort error
+ * 0 - Successful program completion
+
+If the error is repeatable, you can re-run amtu with the -d option to get
+more information about the failure. The success or failure of AMTU is logged
+in the audit log files (see auditd.8).
+
diff -urN amtu-1.0.8.orig/doc/Makefile.am amtu-1.0.8/doc/Makefile.am
--- amtu-1.0.8.orig/doc/Makefile.am 2009-07-06 09:39:44.000000000 -0400
+++ amtu-1.0.8/doc/Makefile.am 2009-07-06 09:40:49.000000000 -0400
@@ -1,3 +1,3 @@
CONFIG_CLEAN_FILES = *.rej *.orig
-EXTRA_DIST = $(man_MANS)
+EXTRA_DIST = $(man_MANS) AbstractMachineTestingDesign.doc AMTUHowTo.txt
man_MANS = amtu.8

12
amtu-1.0.8-memsep.patch
View file

@ -1,12 +0,0 @@
diff -urp amtu-1.0.8.orig/src/memsep.c amtu-1.0.8/src/memsep.c
--- amtu-1.0.8.orig/src/memsep.c 2010-01-18 10:56:48.000000000 -0500
+++ amtu-1.0.8/src/memsep.c 2010-01-18 11:42:23.000000000 -0500
@@ -102,7 +102,7 @@ void sig_handler(int sig)
#endif
int *get_pointer_in_range(int *start, int *end)
{
- return (int *)((char *)start + (RANDNUM % ((char *)end - (char *)start + 1)));
+ return (int *)((char *)start + (RANDNUM % ((char *)end - (char *)start)));
}
/************************************************************************/

159
amtu-1.0.8-net-device.patch
View file

@ -1,159 +0,0 @@
From aa004563d3951086283f896342ec4b3b96fb8785 Mon Sep 17 00:00:00 2001
From: Jan Stancek <jstancek@redhat.com>
Date: Wed, 24 Aug 2011 11:54:30 +0200
Subject: [PATCH] networkio: check ifc type and carrier in /sys
With biosdevname changes it's no longer valid to check
interface type just by name of interface.
This patch will get interface hardware type and carrier from
/sys/class/net. As in previous implementation, only ethernet
and token ring can be used, and carrier must be present.
Difference is, that now all devices, that match this criteria,
will get tested, e.g. bridge or tap devices too.
Patch aims to resolve these bugs:
Bug 689823 - [AMTU] "Failed to get list of network interfaces to test."
https://bugzilla.redhat.com/show_bug.cgi?id=689823
Bug 723049 - [RHEL6.0] AMTU Running network tests on interfaces that
have no link
https://bugzilla.redhat.com/show_bug.cgi?id=723049
Before:
[root@dell-pem710 amtu-1.0.8]# ./src/amtu -dn
Executing Network I/O Tests...
Failed to get list of network interfaces to test.
After:
[root@dell-pem710 amtu-1.0.8]# ./src/amtu -dn
Executing Network I/O Tests...
if: lo, type: 772, carrier: 1
if: em1, type: 1, carrier: 1
if: em2, type: 1, carrier: 1
if: em3, type: 1, carrier: -1
if: em4, type: 1, carrier: -1
if: lo, type: 772, carrier: 1
if: em1, type: 1, carrier: 1
if: lo, type: 772, carrier: 1
if: em1, type: 1, carrier: 1
if: em1, type: 1, carrier: 1
if: em2, type: 1, carrier: 1
if: em2, type: 1, carrier: 1
Interface list to test:
em1
em2
Signed-off-by: Jan Stancek <jstancek@redhat.com>
---
src/networkio.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++---
1 files changed, 73 insertions(+), 5 deletions(-)
diff --git a/src/networkio.c b/src/networkio.c
index bfa69e8..54f99c3 100644
--- a/src/networkio.c
+++ b/src/networkio.c
@@ -41,6 +41,9 @@
#include <ifaddrs.h>
#include <linux/if_ether.h>
#include <linux/if_packet.h>
+#include <net/if_arp.h>
+#include <sys/stat.h>
+#include <limits.h>
#include <ctype.h>
#include <syslog.h>
#include "amtu.h"
@@ -143,7 +146,51 @@ int send_packet(struct interface_info *iff)
close(ssock_fd);
return 0;
}
-
+
+int sysfs_present(const char *path)
+{
+ struct stat st;
+ return stat(path, &st);
+}
+
+int get_sysfs_value(const char *sysfs_path)
+{
+ FILE *f;
+ int value = -1;
+
+ f = fopen(sysfs_path, "r");
+ if (f) {
+ fscanf(f, "%d", &value);
+ fclose(f);
+ }
+
+ return value;
+}
+
+int get_interface_type(const char *if_name)
+{
+ char sysfs_if_type[PATH_MAX];
+ int type = -1;
+
+ if (snprintf(sysfs_if_type, PATH_MAX,
+ "/sys/class/net/%s/type", if_name) > 0) {
+ type = get_sysfs_value(sysfs_if_type);
+ }
+ return type;
+}
+
+int get_interface_carrier(const char *if_name)
+{
+ char sysfs_if_carrier[PATH_MAX];
+ int carrier = 0;
+
+ if (snprintf(sysfs_if_carrier, PATH_MAX,
+ "/sys/class/net/%s/carrier", if_name) > 0) {
+ carrier = get_sysfs_value(sysfs_if_carrier);
+ }
+ return carrier;
+}
+
/****************************************************************/
/* */
/* FUNCTION: get_interfaces */
@@ -174,10 +221,31 @@ int get_interfaces()
struct interface_info *np;
int found = 0;
- /* only testing ethernet and tokenring */
- if ((strncmp(ifa->ifa_name, "eth", 3) != 0) &&
- (strncmp(ifa->ifa_name, "tr", 2) != 0))
- continue;
+ if (sysfs_present("/sys/class/net") == 0) {
+ int if_type = -1;
+ int if_carrier = 0;
+
+ if_type = get_interface_type(ifa->ifa_name);
+ if_carrier = get_interface_carrier(ifa->ifa_name);
+
+ if (debug)
+ printf("if: %7s, type: %4d, carrier: %3d\n",
+ ifa->ifa_name, if_type, if_carrier);
+
+ /* only testing ethernet and tokenring */
+ if (if_type != ARPHRD_ETHER &&
+ if_type != ARPHRD_IEEE802_TR)
+ continue;
+
+ /* only testing if carrier present */
+ if (if_carrier != 1)
+ continue;
+ } else {
+ /* with no sysfs, just fall back to old way */
+ if ((strncmp(ifa->ifa_name, "eth", 3) != 0) &&
+ (strncmp(ifa->ifa_name, "tr", 2) != 0))
+ continue;
+ }
/* check family */
if (ifa->ifa_addr->sa_family != AF_INET &&
--
1.7.1

170
amtu.spec
View file

@ -1,170 +0,0 @@
Summary: Abstract Machine Test Utility (AMTU)
Name: amtu
Version: 1.0.8
Release: 14%{?dist}
License: CPL
Group: System Environment/Base
URL: http://sourceforge.net/projects/amtueal/
Source0: %{name}-%{version}.tar.gz
Patch1: amtu-1.0.8-doc.patch
Patch2: amtu-1.0.8-memsep.patch
Patch3: amtu-1.0.8-net-device.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: audit-libs-devel >= 1.1.2
BuildRequires: automake
ExclusiveArch: i386 i686 x86_64 ppc ppc64 s390 s390x ia64
%description
Abstract Machine Test Utility (AMTU) is an administrative utility to check
whether the underlying protection mechanism of the hardware are still being
enforced. This is a requirement of the Controlled Access Protection Profile
FPT_AMT.1, see
http://www.radium.ncsc.mil/tpep/library/protection_profiles/CAPP-1.d.pdf
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build
touch ChangeLog
touch NEWS
touch AUTHORS
autoreconf -fv --install
%configure
make %{?_smp_mflags}
%install
rm -rf $RPM_BUILD_ROOT
make "DESTDIR=${RPM_BUILD_ROOT}" "bindir=%{_sbindir}" install
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root, -)
%doc doc/AMTUHowTo.txt LICENSE
%attr(0750,root,root) %{_sbindir}/amtu
%attr(0644,root,root) %{_mandir}/man8/*
%changelog
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Mon May 14 2012 Steve Grubb <sgrubb@redhat.com> - 1.0.8-11
- Handle new network device naming scheme (#682337)
* Mon May 14 2012 Steve Grubb <sgrubb@redhat.com> - 1.0.8-10
- Remove init script (#754358)
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.8-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Tue Feb 16 2010 Steve Grubb <sgrubb@redhat.com> - 1.0.8-7
- Move amtu to /usr/sbin
* Mon Jan 18 2010 Steve Grubb <sgrubb@redhat.com> - 1.0.8-6
- Fix off by one in memory separation test
* Fri Sep 11 2009 Steve Grubb <sgrubb@redhat.com> - 1.0.8-5
- Corrected config file test (#522708)
- Made init script more LSB compatible (#522789)
* Fri Aug 28 2009 Steve Grubb <sgrubb@redhat.com> - 1.0.8-4
- Add ExclusiveArch for platforms having memory separation tests
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.0.8-3
- rebuilt with new audit
* Wed Aug 19 2009 Steve Grubb <sgrubb@redhat.com> 1.0.8-2
- rebuild for new audit-libs
* Sun Jul 26 2009 Steve Grubb <sgrubb@redhat.com> 1.0.8-1
- new upstream version
- Add init script for bootup system check
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Wed Jul 01 2009 Steve Grubb <sgrubb@redhat.com> 1.0.7-1
- new upstream version
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Mon Jul 14 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 1.0.6-3
- fix license tag
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.0.6-2
- Autorebuild for GCC 4.3
* Sat Dec 08 2007 Steve Grubb <sgrubb@redhat.com> 1.0.6-1
- new upstream version
* Thu Mar 08 2007 Steve Grubb <sgrubb@redhat.com> 1.0.5-1
- new upstream version
* Fri Feb 16 2007 Steve Grubb <sgrubb@redhat.com> 1.0.4-6
- change buildroot
* Thu Feb 8 2007 Steve Grubb <sgrubb@redhat.com> 1.0.4-5
- specfile updates
* Tue Jan 9 2007 Steve Grubb <sgrubb@redhat.com> 1.0.4-4
- patch fixing network and disk tests
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.0.4-3.1
- rebuild
* Mon Jun 12 2006 Jesse Keating <jkeating@redhat.com> - 1.0.4-3
- Fix missing BR on automake
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.0.4-2.2
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.0.4-2.1
- rebuilt for new gcc4.1 snapshot and glibc changes
* Tue Jan 3 2006 Jesse Keating <jkeating@redhat.com> 1.0.4-2
- rebuilt
* Fri Dec 9 2005 Steve Grubb <sgrubb@redhat.com> 1.0.4-1
- New upstream version updated for new audit messages
* Mon Dec 5 2005 Steve Grubb <sgrubb@redhat.com> 1.0.2-2
- Fix "clean" section of spec file (bz 172942)
- Add memsep-random patch (bz 174767)
* Thu Jul 14 2005 Steve Grubb <sgrubb@redhat.com> 1.0.2-1
- New upstream version.
* Tue Jul 12 2005 Steve Grubb <sgrubb@redhat.com> 1.0.1-1
- New version fixes bug where audit system was disable at end of test.
* Wed Jun 8 2005 Steve Grubb <sgrubb@redhat.com> 1.0-2
- add a few more include "config.h"
* Fri May 27 2005 Steve Grubb <sgrubb@redhat.com> 1.0-1
- New upstream version from IBM
- Drop memsep patch
- Rework specfile
* Thu Sep 2 2004 root <ccb@redhat.com> 0.1-7RHEL
- integrate memsep patch from Matt Anderson at HP
* Mon Aug 16 2004 root <ccb@redhat.com> 0.1-6RHEL
- Integrate ia64 patches from HP's Matt Anderson, enabling use on ia64
* Tue Jun 29 2004 root <ccb@redhat.com> 0.1-4RHEL
- fix /usr/bin/amtu modes for real this time
* Tue Jun 29 2004 root <ccb@redhat.com> 0.1-4RHEL
- set execute bits on /usr/bin/amtu
* Fri May 28 2004 ccb <ccb@redhat.com> 0.1-3RHEL
- fixed owners and permissions in "files"
* Wed May 26 2004 ccb <ccb@redhat.com> 0.1-2RHEL
- move docs to a version-qualified directory name
* Sat May 1 2004 root <chavezt@cs679156-153.austin.rr.com>
- Initial build.

1
dead.package Normal file
View file

@ -0,0 +1 @@
AMTU was needed for Common Criteria testing. No PP has needed it in about 5 years. Upstream for the package is also dead.

1
sources
View file

@ -1 +0,0 @@
755b517a3a1cc4092435c349d9b99312 amtu-1.0.8.tar.gz