Repository of audit events

Thu Apr 10 00:16:34 UTC 2014

All,

I'll start going through these references to see how complete (based on
current mainstream Linux deployments) a set of events I can get and
report back.

Regards
Burn

On Wed, 2014-04-09 at 13:19 -0400, Steve Grubb wrote:
> On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote:
> > Does there exist a repository of audit events that could be used to test
> > changes to the audit parsing code?
> 
> I don't have one. My count is that there are 144 known events. I created a 
> testing tool, ausearch-test, that is located here:
> 
> http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz
> 
> It can mine your audit logs for one example of each kind of event to a file 
> that can later be used for testing. I have run it over and over from various 
> machines and doing stuff to provoke events such as the IMA events. Running the 
> aucoverage utility against my database shows I am missing 68. Of those, 18 are 
> in the ANOM_ category which is a place-holder for events to be used in a IDS 
> plugin still under development. There are 13 missing in the RESP_ category 
> because the IPS plugin is not using them yet. So, that leaves 37 real events 
> that I don't have in my collection.
> 
> This is the list of events I have never been able to generate:
> 
> Missing AVC_PATH
> Missing CHUSER_ID
> Missing CRYPTO_FAILURE_USER
> Missing CRYPTO_LOGIN
> Missing CRYPTO_LOGOUT
> Missing CRYPTO_PARAM_CHANGE_USER
> Missing CRYPTO_REPLAY_USER
> Missing CRYPTO_TEST_USER
> Missing DAC_CHECK
> Missing DAEMON_ABORT
> Missing INTEGRITY_DATA
> Missing INTEGRITY_HASH
> Missing INTEGRITY_METADATA
> Missing INTEGRITY_RULE
> Missing INTEGRITY_STATUS
> Missing LABEL_OVERRIDE
> Missing MAC_CIPSOV4_ADD
> Missing MAC_CIPSOV4_DEL
> Missing MAC_IPSEC_ADDSA
> Missing MAC_IPSEC_ADDSPD
> Missing MAC_IPSEC_DELSA
> Missing MAC_IPSEC_DELSPD
> Missing MAC_IPSEC_EVENT
> Missing MAC_MAP_ADD
> Missing MAC_MAP_DEL
> Missing MAC_UNLBL_STCADD
> Missing MAC_UNLBL_STCDEL
> Missing NETFILTER_PKT
> Missing ROLE_MODIFY
> Missing ROLE_REMOVE
> Missing SELINUX_ERR
> Missing USER_LABELED_EXPORT
> Missing USER_MAC_CONFIG_CHANGE
> Missing USER_MAC_POLICY_LOAD
> Missing USER_MGMT
> Missing USER_SELINUX_ERR
> Missing USER_UNLABELED_EXPORT
> 
> > Although turning on
> > 
> > -a always,exit -F arch=b32 -S all
> > and
> > -a always,exit -F arch=b64 -S all
> 
> There is a test suite, audit-test, that you might want to know about. Its used 
> for Common Criteria certifications and can be found here:
> 
> http://sourceforge.net/projects/audit-test/
> 
> It can supposedly exercise the system to generate events. But I don't know if 
> it removes audit logs between tests to make finding the event under test easier 
> to find or not. But I have been thinking using it might be the best way to get 
> the events I am missing.
> 
> I know that you'll never get them all. Some are unused. Some have been 
> deprecated. Some can only be generated when using SE Linux in MLS mode with 
> labelled networking and printing. The Integrity events that I am missing are 
> in the IMA subsystem. I can see them in the kernel, but I have no idea how to 
> make them come out.
>  
> > for a while does tend to generate a lot of audit, but it's clearly not
> > exhaustive so I am hoping we have some repositories that are shareable
> > and one can test against.
> 
> For an exhaustive collection, you'd probable want to run without SE Linux 
> enabled, with targeted policy, with MLS policy, and probably with other LSM's 
> than SE Linux.
> 
> -Steve