QA » openQA Project » openQA Tests

It seems like the test fails when executing the command:

ausearch -i --arch x86_64

The actual command works as it is supposed to. However the test wants to find a string "arch=x86_64", which fails.

The failure is because on this SUT there is no audit rule defined which would add the arch field into the logs (or if there is such rule, then it was not hit yet).
If the audit logs do not have lines where "arch" is present then ausearch will return "no matches".

My proposal is the following:

1. in the current test scenario, the output of ausearch should be accepted as-is.

Add another test for ausearch:

1. add a simple rule which will add arch=x86_64 into the logs
2. execute the command that would trigger that rule, so auditd will log the event
3. run ausearch and find the arch string

The simple rule can be added like that:

auditctl -a always,exit -F arch=x86_64 -S getpid -k get_pid

And then triggering the rule can be done by:

ps -q 1

The audit logs will now have lines where arch is present. Example:

type=SYSCALL msg=audit(1730282091.383:2347): arch=c000003e syscall=39 success=yes exit=1 a0=7fd64b3fcfe0 a1=29736d20 a2=0 a3=0 items=0 ppid=5045 pid=17639 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=53657276696365576F726B65722074 exe="/opt/google/chrome/chrome" subj=chrome key="get_pid"

The command ausearch -i --arch x86_64 will be able to filter lines for the specified architecture and the test case will succeed.

The final PR was https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20532