All, I'll start going through these references to see how complete (based on current mainstream Linux deployments) a set of events I can get and report back.
Regards Burn On Wed, 2014-04-09 at 13:19 -0400, Steve Grubb wrote: > On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote: > > Does there exist a repository of audit events that could be used to test > > changes to the audit parsing code? > > I don't have one. My count is that there are 144 known events. I created a > testing tool, ausearch-test, that is located here: > > http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz > > It can mine your audit logs for one example of each kind of event to a file > that can later be used for testing. I have run it over and over from various > machines and doing stuff to provoke events such as the IMA events. Running > the > aucoverage utility against my database shows I am missing 68. Of those, 18 > are > in the ANOM_ category which is a place-holder for events to be used in a IDS > plugin still under development. There are 13 missing in the RESP_ category > because the IPS plugin is not using them yet. So, that leaves 37 real events > that I don't have in my collection. > > This is the list of events I have never been able to generate: > > Missing AVC_PATH > Missing CHUSER_ID > Missing CRYPTO_FAILURE_USER > Missing CRYPTO_LOGIN > Missing CRYPTO_LOGOUT > Missing CRYPTO_PARAM_CHANGE_USER > Missing CRYPTO_REPLAY_USER > Missing CRYPTO_TEST_USER > Missing DAC_CHECK > Missing DAEMON_ABORT > Missing INTEGRITY_DATA > Missing INTEGRITY_HASH > Missing INTEGRITY_METADATA > Missing INTEGRITY_RULE > Missing INTEGRITY_STATUS > Missing LABEL_OVERRIDE > Missing MAC_CIPSOV4_ADD > Missing MAC_CIPSOV4_DEL > Missing MAC_IPSEC_ADDSA > Missing MAC_IPSEC_ADDSPD > Missing MAC_IPSEC_DELSA > Missing MAC_IPSEC_DELSPD > Missing MAC_IPSEC_EVENT > Missing MAC_MAP_ADD > Missing MAC_MAP_DEL > Missing MAC_UNLBL_STCADD > Missing MAC_UNLBL_STCDEL > Missing NETFILTER_PKT > Missing ROLE_MODIFY > Missing ROLE_REMOVE > Missing SELINUX_ERR > Missing USER_LABELED_EXPORT > Missing USER_MAC_CONFIG_CHANGE > Missing USER_MAC_POLICY_LOAD > Missing USER_MGMT > Missing USER_SELINUX_ERR > Missing USER_UNLABELED_EXPORT > > > Although turning on > > > > -a always,exit -F arch=b32 -S all > > and > > -a always,exit -F arch=b64 -S all > > There is a test suite, audit-test, that you might want to know about. Its > used > for Common Criteria certifications and can be found here: > > http://sourceforge.net/projects/audit-test/ > > It can supposedly exercise the system to generate events. But I don't know if > it removes audit logs between tests to make finding the event under test > easier > to find or not. But I have been thinking using it might be the best way to > get > the events I am missing. > > I know that you'll never get them all. Some are unused. Some have been > deprecated. Some can only be generated when using SE Linux in MLS mode with > labelled networking and printing. The Integrity events that I am missing are > in the IMA subsystem. I can see them in the kernel, but I have no idea how to > make them come out. > > > for a while does tend to generate a lot of audit, but it's clearly not > > exhaustive so I am hoping we have some repositories that are shareable > > and one can test against. > > For an exhaustive collection, you'd probable want to run without SE Linux > enabled, with targeted policy, with MLS policy, and probably with other LSM's > than SE Linux. > > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
