Repository of audit events

Wed Apr 9 17:19:57 UTC 2014

On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote:
> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?

I don't have one. My count is that there are 144 known events. I created a 
testing tool, ausearch-test, that is located here:

http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz

It can mine your audit logs for one example of each kind of event to a file 
that can later be used for testing. I have run it over and over from various 
machines and doing stuff to provoke events such as the IMA events. Running the 
aucoverage utility against my database shows I am missing 68. Of those, 18 are 
in the ANOM_ category which is a place-holder for events to be used in a IDS 
plugin still under development. There are 13 missing in the RESP_ category 
because the IPS plugin is not using them yet. So, that leaves 37 real events 
that I don't have in my collection.

This is the list of events I have never been able to generate:

Missing AVC_PATH
Missing CHUSER_ID
Missing CRYPTO_FAILURE_USER
Missing CRYPTO_LOGIN
Missing CRYPTO_LOGOUT
Missing CRYPTO_PARAM_CHANGE_USER
Missing CRYPTO_REPLAY_USER
Missing CRYPTO_TEST_USER
Missing DAC_CHECK
Missing DAEMON_ABORT
Missing INTEGRITY_DATA
Missing INTEGRITY_HASH
Missing INTEGRITY_METADATA
Missing INTEGRITY_RULE
Missing INTEGRITY_STATUS
Missing LABEL_OVERRIDE
Missing MAC_CIPSOV4_ADD
Missing MAC_CIPSOV4_DEL
Missing MAC_IPSEC_ADDSA
Missing MAC_IPSEC_ADDSPD
Missing MAC_IPSEC_DELSA
Missing MAC_IPSEC_DELSPD
Missing MAC_IPSEC_EVENT
Missing MAC_MAP_ADD
Missing MAC_MAP_DEL
Missing MAC_UNLBL_STCADD
Missing MAC_UNLBL_STCDEL
Missing NETFILTER_PKT
Missing ROLE_MODIFY
Missing ROLE_REMOVE
Missing SELINUX_ERR
Missing USER_LABELED_EXPORT
Missing USER_MAC_CONFIG_CHANGE
Missing USER_MAC_POLICY_LOAD
Missing USER_MGMT
Missing USER_SELINUX_ERR
Missing USER_UNLABELED_EXPORT

> Although turning on
> 
> -a always,exit -F arch=b32 -S all
> and
> -a always,exit -F arch=b64 -S all

There is a test suite, audit-test, that you might want to know about. Its used 
for Common Criteria certifications and can be found here:

http://sourceforge.net/projects/audit-test/

It can supposedly exercise the system to generate events. But I don't know if 
it removes audit logs between tests to make finding the event under test easier 
to find or not. But I have been thinking using it might be the best way to get 
the events I am missing.

I know that you'll never get them all. Some are unused. Some have been 
deprecated. Some can only be generated when using SE Linux in MLS mode with 
labelled networking and printing. The Integrity events that I am missing are 
in the IMA subsystem. I can see them in the kernel, but I have no idea how to 
make them come out.

> for a while does tend to generate a lot of audit, but it's clearly not
> exhaustive so I am hoping we have some repositories that are shareable
> and one can test against.

For an exhaustive collection, you'd probable want to run without SE Linux 
enabled, with targeted policy, with MLS policy, and probably with other LSM's 
than SE Linux.

-Steve