On Friday, September 12, 2014 10:22:31 AM Steve Grubb wrote:
As an aside, I have found that we also need an audit validation
suite. What
this would do is have someone start a system, login, logout, log back in,
shut down the system, reboot and run the test to see if all necessary
events have been generated, no duplicates, no spurious events, and fields
are correct.
Since people have asked about this off list...
I have uploaded a state diagram of how the audit system is supposed to work to
my people page:
http://people.redhat.com/sgrubb/audit/
This only includes the system events that give the user session context. The
whole user session can do anything based on the local rules/selinux
settings/file permissions. The point is to define the boundaries that can be
used to constrain the possible user events.
I'll upload the suite in its current form a bit later. It is a work in
progress...but identifies systemd as not being consistent in sending events.
Not to mention lightdm not being audit aware at all...
-Steve