All, Does there exist a repository of audit events that could be used to test changes to the audit parsing code? Although turning on -a always,exit -F arch=b32 -S all and -a always,exit -F arch=b64 -S all for a while does tend to generate a lot of audit, but it's clearly not exhaustive so I am hoping we have some repositories that are shareable and one can test against.

On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote: > Does there exist a repository of audit events that could be used to test > changes to the audit parsing code? I don't have one. My count is that there are 144 known events. I created a testing tool, ausearch-test, that is located here: http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz It can mine your audit logs for one example of each kind of event to a file that can later be used for testing. I have run it over and over from various machines and doing stuff to provoke events such as the IMA events. Running the aucoverage utility against my database shows I am missing 68. Of those, 18 are in the ANOM_ category which is a place-holder for events to be used in a IDS plugin still under development. There are 13 missing in the RESP_ category because the IPS plugin is not using them yet. So, that leaves 37 real events that I don't have in my collection. This is the list of events I have never been able to generate: Missing AVC_PATH Missing CHUSER_ID Missing CRYPTO_FAILURE_USER Missing CRYPTO_LOGIN Missing CRYPTO_LOGOUT Missing CRYPTO_PARAM_CHANGE_USER Missing CRYPTO_REPLAY_USER Missing CRYPTO_TEST_USER Missing DAC_CHECK Missing DAEMON_ABORT Missing INTEGRITY_DATA Missing INTEGRITY_HASH Missing INTEGRITY_METADATA Missing INTEGRITY_RULE Missing INTEGRITY_STATUS Missing LABEL_OVERRIDE Missing MAC_CIPSOV4_ADD Missing MAC_CIPSOV4_DEL Missing MAC_IPSEC_ADDSA Missing MAC_IPSEC_ADDSPD Missing MAC_IPSEC_DELSA Missing MAC_IPSEC_DELSPD Missing MAC_IPSEC_EVENT Missing MAC_MAP_ADD Missing MAC_MAP_DEL Missing MAC_UNLBL_STCADD Missing MAC_UNLBL_STCDEL Missing NETFILTER_PKT Missing ROLE_MODIFY Missing ROLE_REMOVE Missing SELINUX_ERR Missing USER_LABELED_EXPORT Missing USER_MAC_CONFIG_CHANGE Missing USER_MAC_POLICY_LOAD Missing USER_MGMT Missing USER_SELINUX_ERR Missing USER_UNLABELED_EXPORT > Although turning on > > -a always,exit -F arch=b32 -S all > and > -a always,exit -F arch=b64 -S all There is a test suite, audit-test, that you might want to know about. Its used for Common Criteria certifications and can be found here: http://sourceforge.net/projects/audit-test/ It can supposedly exercise the system to generate events. But I don't know if it removes audit logs between tests to make finding the event under test easier to find or not. But I have been thinking using it might be the best way to get the events I am missing. I know that you'll never get them all. Some are unused. Some have been deprecated. Some can only be generated when using SE Linux in MLS mode with labelled networking and printing. The Integrity events that I am missing are in the IMA subsystem. I can see them in the kernel, but I have no idea how to make them come out. > for a while does tend to generate a lot of audit, but it's clearly not > exhaustive so I am hoping we have some repositories that are shareable > and one can test against. For an exhaustive collection, you'd probable want to run without SE Linux enabled, with targeted policy, with MLS policy, and probably with other LSM's than SE Linux. -Steve

On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > Missing INTEGRITY_RULE IMA with an 'audit' rule generates INTEGRITY_RULE messages.

Missing INTEGRITY_DATA

Missing INTEGRITY_HASH

Missing INTEGRITY_METADATA

Missing INTEGRITY_STATUS

Hi Mimi, On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote: > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > > > Missing INTEGRITY_RULE > > > > IMA with an 'audit' rule generates INTEGRITY_RULE messages. For those of us not really up on IMA and just want to generate the event to add to our collection, any tips on doing this?

> > Missing INTEGRITY_DATA > > Failure to collect or appraise file data. > (Requires the filesystem to be labeled w/security.ima and integrity > appraisal enabled.) How would I cause this event to be generated if I wanted to see it?

> > Missing INTEGRITY_HASH > > Not used. OK, I'll mark that deprecated. > > Missing INTEGRITY_METADATA > > Before updating/removing 'security.evm' the xattr or modifying file > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid, > i_mode, FSUUID, i_generation), EVM verifies the existing value. > (Requires the filesystem to be labeled w/security.evm and integrity > appraisal enabled.) How to get it?

> > Missing INTEGRITY_STATUS > > Errors related to the IMA policy. How to get it?