All,
I'll start going through these references to see how complete (based on
current mainstream Linux deployments) a set of events I can get and
report back.
Regards
Burn
On Wed, 2014-04-09 at 13:19 -0400, Steve Grubb wrote:
On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote:
> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?
I don't have one. My count is that there are 144 known events. I created a
testing tool, ausearch-test, that is located here:
http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz
It can mine your audit logs for one example of each kind of event to a file
that can later be used for testing. I have run it over and over from various
machines and doing stuff to provoke events such as the IMA events. Running the
aucoverage utility against my database shows I am missing 68. Of those, 18 are
in the ANOM_ category which is a place-holder for events to be used in a IDS
plugin still under development. There are 13 missing in the RESP_ category
because the IPS plugin is not using them yet. So, that leaves 37 real events
that I don't have in my collection.
This is the list of events I have never been able to generate:
Missing AVC_PATH
Missing CHUSER_ID
Missing CRYPTO_FAILURE_USER
Missing CRYPTO_LOGIN
Missing CRYPTO_LOGOUT
Missing CRYPTO_PARAM_CHANGE_USER
Missing CRYPTO_REPLAY_USER
Missing CRYPTO_TEST_USER
Missing DAC_CHECK
Missing DAEMON_ABORT
Missing INTEGRITY_DATA
Missing INTEGRITY_HASH
Missing INTEGRITY_METADATA
Missing INTEGRITY_RULE
Missing INTEGRITY_STATUS
Missing LABEL_OVERRIDE
Missing MAC_CIPSOV4_ADD
Missing MAC_CIPSOV4_DEL
Missing MAC_IPSEC_ADDSA
Missing MAC_IPSEC_ADDSPD
Missing MAC_IPSEC_DELSA
Missing MAC_IPSEC_DELSPD
Missing MAC_IPSEC_EVENT
Missing MAC_MAP_ADD
Missing MAC_MAP_DEL
Missing MAC_UNLBL_STCADD
Missing MAC_UNLBL_STCDEL
Missing NETFILTER_PKT
Missing ROLE_MODIFY
Missing ROLE_REMOVE
Missing SELINUX_ERR
Missing USER_LABELED_EXPORT
Missing USER_MAC_CONFIG_CHANGE
Missing USER_MAC_POLICY_LOAD
Missing USER_MGMT
Missing USER_SELINUX_ERR
Missing USER_UNLABELED_EXPORT
> Although turning on
>
> -a always,exit -F arch=b32 -S all
> and
> -a always,exit -F arch=b64 -S all
There is a test suite, audit-test, that you might want to know about. Its used
for Common Criteria certifications and can be found here:
http://sourceforge.net/projects/audit-test/
It can supposedly exercise the system to generate events. But I don't know if
it removes audit logs between tests to make finding the event under test easier
to find or not. But I have been thinking using it might be the best way to get
the events I am missing.
I know that you'll never get them all. Some are unused. Some have been
deprecated. Some can only be generated when using SE Linux in MLS mode with
labelled networking and printing. The Integrity events that I am missing are
in the IMA subsystem. I can see them in the kernel, but I have no idea how to
make them come out.
> for a while does tend to generate a lot of audit, but it's clearly not
> exhaustive so I am hoping we have some repositories that are shareable
> and one can test against.
For an exhaustive collection, you'd probable want to run without SE Linux
enabled, with targeted policy, with MLS policy, and probably with other LSM's
than SE Linux.
-Steve