Re: Repository of audit events

On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote: I don't have one. My count is that there are 144 known events. I created a testing tool, ausearch-test, that is located here: http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz It can mine your audit logs for one example of each kind of event to a file that can later be used for testing. I have run it over and over from various machines and doing stuff to provoke events such as the IMA events. Running the aucoverage utility against my database shows I am missing 68. Of those, 18 are in the ANOM_ category which is a place-holder for events to be used in a IDS plugin still under development. There are 13 missing in the RESP_ category because the IPS plugin is not using them yet. So, that leaves 37 real events that I don't have in my collection. This is the list of events I have never been able to generate: Missing AVC_PATH Missing CHUSER_ID Missing CRYPTO_FAILURE_USER Missing CRYPTO_LOGIN Missing CRYPTO_LOGOUT Missing CRYPTO_PARAM_CHANGE_USER Missing CRYPTO_REPLAY_USER Missing CRYPTO_TEST_USER Missing DAC_CHECK Missing DAEMON_ABORT Missing INTEGRITY_DATA Missing INTEGRITY_HASH Missing INTEGRITY_METADATA Missing INTEGRITY_RULE Missing INTEGRITY_STATUS Missing LABEL_OVERRIDE Missing MAC_CIPSOV4_ADD Missing MAC_CIPSOV4_DEL Missing MAC_IPSEC_ADDSA Missing MAC_IPSEC_ADDSPD Missing MAC_IPSEC_DELSA Missing MAC_IPSEC_DELSPD Missing MAC_IPSEC_EVENT Missing MAC_MAP_ADD Missing MAC_MAP_DEL Missing MAC_UNLBL_STCADD Missing MAC_UNLBL_STCDEL Missing NETFILTER_PKT Missing ROLE_MODIFY Missing ROLE_REMOVE Missing SELINUX_ERR Missing USER_LABELED_EXPORT Missing USER_MAC_CONFIG_CHANGE Missing USER_MAC_POLICY_LOAD Missing USER_MGMT Missing USER_SELINUX_ERR Missing USER_UNLABELED_EXPORT There is a test suite, audit-test, that you might want to know about. Its used for Common Criteria certifications and can be found here: http://sourceforge.net/projects/audit-test/ It can supposedly exercise the system to generate events. But I don't know if it removes audit logs between tests to make finding the event under test easier to find or not. But I have been thinking using it might be the best way to get the events I am missing. I know that you'll never get them all. Some are unused. Some have been deprecated. Some can only be generated when using SE Linux in MLS mode with labelled networking and printing. The Integrity events that I am missing are in the IMA subsystem. I can see them in the kernel, but I have no idea how to make them come out. For an exhaustive collection, you'd probable want to run without SE Linux enabled, with targeted policy, with MLS policy, and probably with other LSM's than SE Linux. -Steve