From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: rhel6/7 question Date: Fri, 12 Sep 2014 11:14:57 -0400 Message-ID: <3685428.PkL68kFjCF@x2> References: <5412FDEF.2060508@magitekltd.com> <2089155.agMu1aDU8W@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-51-89.rdu2.redhat.com [10.10.51.89]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s8CFErvV000324 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 12 Sep 2014 11:14:54 -0400 In-Reply-To: <2089155.agMu1aDU8W@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday, September 12, 2014 10:22:31 AM Steve Grubb wrote: > As an aside, I have found that we also need an audit validation suite. What > this would do is have someone start a system, login, logout, log back in, > shut down the system, reboot and run the test to see if all necessary > events have been generated, no duplicates, no spurious events, and fields > are correct. Since people have asked about this off list... I have uploaded a state diagram of how the audit system is supposed to work to my people page: http://people.redhat.com/sgrubb/audit/ This only includes the system events that give the user session context. The whole user session can do anything based on the local rules/selinux settings/file permissions. The point is to define the boundaries that can be used to constrain the possible user events. I'll upload the suite in its current form a bit later. It is a work in progress...but identifies systemd as not being consistent in sending events. Not to mention lightdm not being audit aware at all... -Steve