Re: Repository of audit events

2014-04-11 Thread Steve Grubb
Hi Mimi, On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote: On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: Missing INTEGRITY_RULE IMA with an 'audit' rule generates INTEGRITY_RULE messages. For those of us not really up on

Re: Repository of audit events

2014-04-11 Thread Mimi Zohar
On Fri, 2014-04-11 at 10:07 -0400, Steve Grubb wrote: Hi Mimi, On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote: On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: Missing INTEGRITY_RULE IMA with an 'audit' rule

Re: Repository of audit events

2014-04-10 Thread Mimi Zohar
On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: Missing INTEGRITY_RULE IMA with an 'audit' rule generates INTEGRITY_RULE messages. Missing INTEGRITY_DATA Failure to collect or appraise file data. (Requires the filesystem to be

Repository of audit events

2014-04-09 Thread Burn Alting
All, Does there exist a repository of audit events that could be used to test changes to the audit parsing code? Although turning on -a always,exit -F arch=b32 -S all and -a always,exit -F arch=b64 -S all for a while does tend to generate a lot of audit, but it's clearly not exhaustive so I

Re: Repository of audit events

2014-04-09 Thread lists_todd
On Apr 8, 2014, at 11:25 PM, Burn Alting b...@swtf.dyndns.org wrote: All, Does there exist a repository of audit events that could be used to test changes to the audit parsing code? Although turning on -a always,exit -F arch=b32 -S all and -a always,exit -F arch=b64 -S all

Re: Repository of audit events

2014-04-09 Thread Eric Paris
, 2014-04-09 at 16:25 +1000, Burn Alting wrote: All, Does there exist a repository of audit events that could be used to test changes to the audit parsing code? Although turning on -a always,exit -F arch=b32 -S all and -a always,exit -F arch=b64 -S all for a while does tend to generate

Re: Repository of audit events

2014-04-09 Thread Burn Alting
there exist a repository of audit events that could be used to test changes to the audit parsing code? I don't have one. My count is that there are 144 known events. I created a testing tool, ausearch-test, that is located here: http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz

Re: Repository of audit events

2014-04-09 Thread Peter Moody
On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: Missing INTEGRITY_RULE IMA with an 'audit' rule generates INTEGRITY_RULE messages. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit