From mboxrd@z Thu Jan  1 00:00:00 1970
From: lists_todd@mac.com
Subject: Re: Repository of audit events
Date: Wed, 09 Apr 2014 09:33:06 -0700
Message-ID: <8CDE3B2F-2E8A-4B37-B666-8D1E781AFD57@mac.com>
References: <1397024726.23793.121.camel@swtf.swtf.dyndns.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.19])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s39GXGTX002394
	for <linux-audit@redhat.com>; Wed, 9 Apr 2014 12:33:16 -0400
Received: from nk11p08mm-asmtp001.mac.com (nk11p08mm-asmtp001.mac.com
	[17.158.58.246])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s39GXFr1028255
	for <linux-audit@redhat.com>; Wed, 9 Apr 2014 12:33:15 -0400
Received: from [192.168.10.68] (unknown [168.150.221.2])
	by nk11p08mm-asmtp001.mac.com
	(Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit
	(built Aug
	22 2013)) with ESMTPSA id <0N3R00E2HVB68I80@nk11p08mm-asmtp001.mac.com>
	for linux-audit@redhat.com; Wed, 09 Apr 2014 16:33:07 +0000 (GMT)
In-reply-to: <1397024726.23793.121.camel@swtf.swtf.dyndns.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On Apr 8, 2014, at 11:25 PM, Burn Alting <burn@swtf.dyndns.org> wrote:

> All,
> =

> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?
> =

> Although turning on =

> =

> -a always,exit -F arch=3Db32 -S all
> and
> -a always,exit -F arch=3Db64 -S all
> =

> for a while does tend to generate a lot of audit, but it's clearly not
> exhaustive so I am hoping we have some repositories that are shareable
> and one can test against.

If anyone has links, please share with the lists. I would appreciate the da=
ta sources as well.

I=92ve started adding Linux audit analysis to my Mac-based tools, and more =
data for testing is always appreciated.

Todd