* Repository of audit events
@ 2014-04-09 6:25 Burn Alting
2014-04-09 16:32 ` Eric Paris
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Burn Alting @ 2014-04-09 6:25 UTC (permalink / raw)
To: linux-audit
All,
Does there exist a repository of audit events that could be used to test
changes to the audit parsing code?
Although turning on
-a always,exit -F arch=b32 -S all
and
-a always,exit -F arch=b64 -S all
for a while does tend to generate a lot of audit, but it's clearly not
exhaustive so I am hoping we have some repositories that are shareable
and one can test against.
Rgds
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Repository of audit events 2014-04-09 6:25 Repository of audit events Burn Alting @ 2014-04-09 16:32 ` Eric Paris 2014-04-09 16:33 ` lists_todd 2014-04-09 17:19 ` Steve Grubb 2 siblings, 0 replies; 9+ messages in thread From: Eric Paris @ 2014-04-09 16:32 UTC (permalink / raw) To: burn; +Cc: linux-audit To the best of my knowledge there is no way to generate every record type. I did send sgrubb the beginnings of me trying to write a suite of programs to exercise some of them for hopeful eventual inclusion in the auparse checker tool... I really think such a thing would be useful... On Wed, 2014-04-09 at 16:25 +1000, Burn Alting wrote: > All, > > Does there exist a repository of audit events that could be used to test > changes to the audit parsing code? > > Although turning on > > -a always,exit -F arch=b32 -S all > and > -a always,exit -F arch=b64 -S all > > for a while does tend to generate a lot of audit, but it's clearly not > exhaustive so I am hoping we have some repositories that are shareable > and one can test against. > > Rgds > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events 2014-04-09 6:25 Repository of audit events Burn Alting 2014-04-09 16:32 ` Eric Paris @ 2014-04-09 16:33 ` lists_todd 2014-04-09 17:19 ` Steve Grubb 2 siblings, 0 replies; 9+ messages in thread From: lists_todd @ 2014-04-09 16:33 UTC (permalink / raw) To: burn; +Cc: linux-audit On Apr 8, 2014, at 11:25 PM, Burn Alting <burn@swtf.dyndns.org> wrote: > All, > > Does there exist a repository of audit events that could be used to test > changes to the audit parsing code? > > Although turning on > > -a always,exit -F arch=b32 -S all > and > -a always,exit -F arch=b64 -S all > > for a while does tend to generate a lot of audit, but it's clearly not > exhaustive so I am hoping we have some repositories that are shareable > and one can test against. If anyone has links, please share with the lists. I would appreciate the data sources as well. I’ve started adding Linux audit analysis to my Mac-based tools, and more data for testing is always appreciated. Todd ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events 2014-04-09 6:25 Repository of audit events Burn Alting 2014-04-09 16:32 ` Eric Paris 2014-04-09 16:33 ` lists_todd @ 2014-04-09 17:19 ` Steve Grubb 2014-04-10 0:16 ` Burn Alting 2014-04-10 1:26 ` Peter Moody 2 siblings, 2 replies; 9+ messages in thread From: Steve Grubb @ 2014-04-09 17:19 UTC (permalink / raw) To: linux-audit, burn On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote: > Does there exist a repository of audit events that could be used to test > changes to the audit parsing code? I don't have one. My count is that there are 144 known events. I created a testing tool, ausearch-test, that is located here: http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz It can mine your audit logs for one example of each kind of event to a file that can later be used for testing. I have run it over and over from various machines and doing stuff to provoke events such as the IMA events. Running the aucoverage utility against my database shows I am missing 68. Of those, 18 are in the ANOM_ category which is a place-holder for events to be used in a IDS plugin still under development. There are 13 missing in the RESP_ category because the IPS plugin is not using them yet. So, that leaves 37 real events that I don't have in my collection. This is the list of events I have never been able to generate: Missing AVC_PATH Missing CHUSER_ID Missing CRYPTO_FAILURE_USER Missing CRYPTO_LOGIN Missing CRYPTO_LOGOUT Missing CRYPTO_PARAM_CHANGE_USER Missing CRYPTO_REPLAY_USER Missing CRYPTO_TEST_USER Missing DAC_CHECK Missing DAEMON_ABORT Missing INTEGRITY_DATA Missing INTEGRITY_HASH Missing INTEGRITY_METADATA Missing INTEGRITY_RULE Missing INTEGRITY_STATUS Missing LABEL_OVERRIDE Missing MAC_CIPSOV4_ADD Missing MAC_CIPSOV4_DEL Missing MAC_IPSEC_ADDSA Missing MAC_IPSEC_ADDSPD Missing MAC_IPSEC_DELSA Missing MAC_IPSEC_DELSPD Missing MAC_IPSEC_EVENT Missing MAC_MAP_ADD Missing MAC_MAP_DEL Missing MAC_UNLBL_STCADD Missing MAC_UNLBL_STCDEL Missing NETFILTER_PKT Missing ROLE_MODIFY Missing ROLE_REMOVE Missing SELINUX_ERR Missing USER_LABELED_EXPORT Missing USER_MAC_CONFIG_CHANGE Missing USER_MAC_POLICY_LOAD Missing USER_MGMT Missing USER_SELINUX_ERR Missing USER_UNLABELED_EXPORT > Although turning on > > -a always,exit -F arch=b32 -S all > and > -a always,exit -F arch=b64 -S all There is a test suite, audit-test, that you might want to know about. Its used for Common Criteria certifications and can be found here: http://sourceforge.net/projects/audit-test/ It can supposedly exercise the system to generate events. But I don't know if it removes audit logs between tests to make finding the event under test easier to find or not. But I have been thinking using it might be the best way to get the events I am missing. I know that you'll never get them all. Some are unused. Some have been deprecated. Some can only be generated when using SE Linux in MLS mode with labelled networking and printing. The Integrity events that I am missing are in the IMA subsystem. I can see them in the kernel, but I have no idea how to make them come out. > for a while does tend to generate a lot of audit, but it's clearly not > exhaustive so I am hoping we have some repositories that are shareable > and one can test against. For an exhaustive collection, you'd probable want to run without SE Linux enabled, with targeted policy, with MLS policy, and probably with other LSM's than SE Linux. -Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events 2014-04-09 17:19 ` Steve Grubb @ 2014-04-10 0:16 ` Burn Alting 2014-04-10 1:26 ` Peter Moody 1 sibling, 0 replies; 9+ messages in thread From: Burn Alting @ 2014-04-10 0:16 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit All, I'll start going through these references to see how complete (based on current mainstream Linux deployments) a set of events I can get and report back. Regards Burn On Wed, 2014-04-09 at 13:19 -0400, Steve Grubb wrote: > On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote: > > Does there exist a repository of audit events that could be used to test > > changes to the audit parsing code? > > I don't have one. My count is that there are 144 known events. I created a > testing tool, ausearch-test, that is located here: > > http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz > > It can mine your audit logs for one example of each kind of event to a file > that can later be used for testing. I have run it over and over from various > machines and doing stuff to provoke events such as the IMA events. Running the > aucoverage utility against my database shows I am missing 68. Of those, 18 are > in the ANOM_ category which is a place-holder for events to be used in a IDS > plugin still under development. There are 13 missing in the RESP_ category > because the IPS plugin is not using them yet. So, that leaves 37 real events > that I don't have in my collection. > > This is the list of events I have never been able to generate: > > Missing AVC_PATH > Missing CHUSER_ID > Missing CRYPTO_FAILURE_USER > Missing CRYPTO_LOGIN > Missing CRYPTO_LOGOUT > Missing CRYPTO_PARAM_CHANGE_USER > Missing CRYPTO_REPLAY_USER > Missing CRYPTO_TEST_USER > Missing DAC_CHECK > Missing DAEMON_ABORT > Missing INTEGRITY_DATA > Missing INTEGRITY_HASH > Missing INTEGRITY_METADATA > Missing INTEGRITY_RULE > Missing INTEGRITY_STATUS > Missing LABEL_OVERRIDE > Missing MAC_CIPSOV4_ADD > Missing MAC_CIPSOV4_DEL > Missing MAC_IPSEC_ADDSA > Missing MAC_IPSEC_ADDSPD > Missing MAC_IPSEC_DELSA > Missing MAC_IPSEC_DELSPD > Missing MAC_IPSEC_EVENT > Missing MAC_MAP_ADD > Missing MAC_MAP_DEL > Missing MAC_UNLBL_STCADD > Missing MAC_UNLBL_STCDEL > Missing NETFILTER_PKT > Missing ROLE_MODIFY > Missing ROLE_REMOVE > Missing SELINUX_ERR > Missing USER_LABELED_EXPORT > Missing USER_MAC_CONFIG_CHANGE > Missing USER_MAC_POLICY_LOAD > Missing USER_MGMT > Missing USER_SELINUX_ERR > Missing USER_UNLABELED_EXPORT > > > Although turning on > > > > -a always,exit -F arch=b32 -S all > > and > > -a always,exit -F arch=b64 -S all > > There is a test suite, audit-test, that you might want to know about. Its used > for Common Criteria certifications and can be found here: > > http://sourceforge.net/projects/audit-test/ > > It can supposedly exercise the system to generate events. But I don't know if > it removes audit logs between tests to make finding the event under test easier > to find or not. But I have been thinking using it might be the best way to get > the events I am missing. > > I know that you'll never get them all. Some are unused. Some have been > deprecated. Some can only be generated when using SE Linux in MLS mode with > labelled networking and printing. The Integrity events that I am missing are > in the IMA subsystem. I can see them in the kernel, but I have no idea how to > make them come out. > > > for a while does tend to generate a lot of audit, but it's clearly not > > exhaustive so I am hoping we have some repositories that are shareable > > and one can test against. > > For an exhaustive collection, you'd probable want to run without SE Linux > enabled, with targeted policy, with MLS policy, and probably with other LSM's > than SE Linux. > > -Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events 2014-04-09 17:19 ` Steve Grubb 2014-04-10 0:16 ` Burn Alting @ 2014-04-10 1:26 ` Peter Moody 2014-04-11 3:36 ` Mimi Zohar 1 sibling, 1 reply; 9+ messages in thread From: Peter Moody @ 2014-04-10 1:26 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > Missing INTEGRITY_RULE IMA with an 'audit' rule generates INTEGRITY_RULE messages. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events 2014-04-10 1:26 ` Peter Moody @ 2014-04-11 3:36 ` Mimi Zohar 2014-04-11 14:07 ` Steve Grubb 0 siblings, 1 reply; 9+ messages in thread From: Mimi Zohar @ 2014-04-11 3:36 UTC (permalink / raw) To: Peter Moody; +Cc: linux-audit On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > > > Missing INTEGRITY_RULE > > IMA with an 'audit' rule generates INTEGRITY_RULE messages. > Missing INTEGRITY_DATA Failure to collect or appraise file data. (Requires the filesystem to be labeled w/security.ima and integrity appraisal enabled.) > Missing INTEGRITY_HASH Not used. > Missing INTEGRITY_METADATA Before updating/removing 'security.evm' the xattr or modifying file metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid, i_mode, FSUUID, i_generation), EVM verifies the existing value. (Requires the filesystem to be labeled w/security.evm and integrity appraisal enabled.) > Missing INTEGRITY_STATUS Errors related to the IMA policy. Mimi ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events 2014-04-11 3:36 ` Mimi Zohar @ 2014-04-11 14:07 ` Steve Grubb 2014-04-11 15:26 ` Mimi Zohar 0 siblings, 1 reply; 9+ messages in thread From: Steve Grubb @ 2014-04-11 14:07 UTC (permalink / raw) To: Mimi Zohar, linux-audit Hi Mimi, On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote: > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > > > Missing INTEGRITY_RULE > > > > IMA with an 'audit' rule generates INTEGRITY_RULE messages. For those of us not really up on IMA and just want to generate the event to add to our collection, any tips on doing this? > > Missing INTEGRITY_DATA > > Failure to collect or appraise file data. > (Requires the filesystem to be labeled w/security.ima and integrity > appraisal enabled.) How would I cause this event to be generated if I wanted to see it? > > Missing INTEGRITY_HASH > > Not used. OK, I'll mark that deprecated. > > Missing INTEGRITY_METADATA > > Before updating/removing 'security.evm' the xattr or modifying file > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid, > i_mode, FSUUID, i_generation), EVM verifies the existing value. > (Requires the filesystem to be labeled w/security.evm and integrity > appraisal enabled.) How to get it? > > Missing INTEGRITY_STATUS > > Errors related to the IMA policy. How to get it? Thanks, -Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events 2014-04-11 14:07 ` Steve Grubb @ 2014-04-11 15:26 ` Mimi Zohar 0 siblings, 0 replies; 9+ messages in thread From: Mimi Zohar @ 2014-04-11 15:26 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On Fri, 2014-04-11 at 10:07 -0400, Steve Grubb wrote: > Hi Mimi, > > On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote: > > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: > > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > > > > Missing INTEGRITY_RULE > > > > > > IMA with an 'audit' rule generates INTEGRITY_RULE messages. > > For those of us not really up on IMA and just want to generate the event to > add to our collection, any tips on doing this? Requires CONFIG_INTEGRITY_AUDIT=y to be configured and loading an IMA policy* containing an audit rule (eg. audit func=BPRM_CHECK mask=MAY_EXEC). *Directions below for loading a policy. > > > Missing INTEGRITY_DATA > > > > Failure to collect or appraise file data. > > (Requires the filesystem to be labeled w/security.ima and integrity > > appraisal enabled.) > > How would I cause this event to be generated if I wanted to see it? Requires both CONFIG_IMA=y and CONFIG_IMA_APPRAISE=y to be enabled and loading an IMA policy containing a measurement/appraisal rule (eg. measure func=BPRM_CHECK, measure func=FILE_CHECK mask=MAY_READ uid=0, audit func=BPRM_CHECK mask=MAY_EXEC). Both the boot command line options 'ima_tcb' and 'ima_appraise_tcb' have these rules. Unlabeled filesystems would require the additional boot command line option 'ima_appraise=fix'. > > > Missing INTEGRITY_HASH > > > > Not used. > > OK, I'll mark that deprecated. > > > > Missing INTEGRITY_METADATA > > > > Before updating/removing 'security.evm' the xattr or modifying file > > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid, > > i_mode, FSUUID, i_generation), EVM verifies the existing value. > > (Requires the filesystem to be labeled w/security.evm and integrity > > appraisal enabled.) > > How to get it? In addition to the IMA/IMA-appraisal config options, requires CONFIG_EVM=y. Assuming you've created an EVM key and loaded it, EVM is enabled. (dracut has an EVM module.) Unlabeled filesystems would require the additional boot command line option 'ima_evm=fix'. > > > Missing INTEGRITY_STATUS > > > > Errors related to the IMA policy. > > How to get it? Directions for loading a policy: to load a policy or replace the boot command line 'ima_tcb'/'ima_appraisal_tcb' policies, cat the new policy to /sys/kernel/security/ima/config. The IMA LTP testsuite has examples. Mimi ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2014-04-11 15:27 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-04-09 6:25 Repository of audit events Burn Alting 2014-04-09 16:32 ` Eric Paris 2014-04-09 16:33 ` lists_todd 2014-04-09 17:19 ` Steve Grubb 2014-04-10 0:16 ` Burn Alting 2014-04-10 1:26 ` Peter Moody 2014-04-11 3:36 ` Mimi Zohar 2014-04-11 14:07 ` Steve Grubb 2014-04-11 15:26 ` Mimi Zohar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox