Re: Event generator - Steve Grubb

linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com, burn@swtf.dyndns.org
Subject: Re: Event generator
Date: Fri, 20 Jan 2017 10:10:59 -0500	[thread overview]
Message-ID: <2990490.0JlBNuVCek@x2> (raw)
In-Reply-To: <1484917493.3438.23.camel@swtf.swtf.dyndns.org>

On Saturday, January 21, 2017 12:04:53 AM EST Burn Alting wrote:
> Does anyone know of an exhaustive auditd event generator.

There really isn't one. I have only been able to collect about 73 of the ~160 
record types. Some are really hard to generate such as the intergrity events. 
Some have barely been used like the responce events.

> I am aware of ausearch-test and audit-validation but I am looking for a
> script or the like that will generate an exhaustive as possible set of
> events - both success and failure.
> 
> Basically, I am looking at a script that, once an 'auditctl ... -S
> all ...' has been enabled, will attempt to generate one of every
> syscall. Both success/fail.

Nothing does that, but the Linux Test Project has a syscall test suite that 
should exercise almost all positive and negative. I don't think you want to do 
a auditctl -S all. That would be way too much. Also, some syscalls are 
deprecated and there just for legacy purposes. Glibc won't let you get to it. 
And there are syscalls that glibc does not support and you have to call via 
the syscall(3) function.

> Something separate could do the the USER_, CRYPTO_ DAEMON_, SERVICE_,
> CONFIG_ filewatch, etc events as well.

The audit test suite Paul mentioned will generate some of these events. 
However, Common Criteria testing is not exhaustive. It only covers events 
normally found in daily sysadmin activity.

I think it would be a big help if anyone were to create such a generator.

-Steve

     prev parent reply	other threads:[~2017-01-20 15:10 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-20 13:04 Event generator Burn Alting
2017-01-20 13:35 ` Paul Moore
2017-01-20 15:10 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2990490.0JlBNuVCek@x2 \
    --to=sgrubb@redhat.com \
    --cc=burn@swtf.dyndns.org \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).