* Repository of audit events
@ 2014-04-09 6:25 Burn Alting
2014-04-09 16:32 ` Eric Paris
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Burn Alting @ 2014-04-09 6:25 UTC (permalink / raw)
To: linux-audit
All,
Does there exist a repository of audit events that could be used to test
changes to the audit parsing code?
Although turning on
-a always,exit -F arch=b32 -S all
and
-a always,exit -F arch=b64 -S all
for a while does tend to generate a lot of audit, but it's clearly not
exhaustive so I am hoping we have some repositories that are shareable
and one can test against.
Rgds
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events
2014-04-09 6:25 Repository of audit events Burn Alting
@ 2014-04-09 16:32 ` Eric Paris
2014-04-09 16:33 ` lists_todd
2014-04-09 17:19 ` Steve Grubb
2 siblings, 0 replies; 9+ messages in thread
From: Eric Paris @ 2014-04-09 16:32 UTC (permalink / raw)
To: burn; +Cc: linux-audit
To the best of my knowledge there is no way to generate every record
type. I did send sgrubb the beginnings of me trying to write a suite of
programs to exercise some of them for hopeful eventual inclusion in the
auparse checker tool...
I really think such a thing would be useful...
On Wed, 2014-04-09 at 16:25 +1000, Burn Alting wrote:
> All,
>
> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?
>
> Although turning on
>
> -a always,exit -F arch=b32 -S all
> and
> -a always,exit -F arch=b64 -S all
>
> for a while does tend to generate a lot of audit, but it's clearly not
> exhaustive so I am hoping we have some repositories that are shareable
> and one can test against.
>
> Rgds
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events
2014-04-09 6:25 Repository of audit events Burn Alting
2014-04-09 16:32 ` Eric Paris
@ 2014-04-09 16:33 ` lists_todd
2014-04-09 17:19 ` Steve Grubb
2 siblings, 0 replies; 9+ messages in thread
From: lists_todd @ 2014-04-09 16:33 UTC (permalink / raw)
To: burn; +Cc: linux-audit
On Apr 8, 2014, at 11:25 PM, Burn Alting <burn@swtf.dyndns.org> wrote:
> All,
>
> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?
>
> Although turning on
>
> -a always,exit -F arch=b32 -S all
> and
> -a always,exit -F arch=b64 -S all
>
> for a while does tend to generate a lot of audit, but it's clearly not
> exhaustive so I am hoping we have some repositories that are shareable
> and one can test against.
If anyone has links, please share with the lists. I would appreciate the data sources as well.
I’ve started adding Linux audit analysis to my Mac-based tools, and more data for testing is always appreciated.
Todd
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events
2014-04-09 6:25 Repository of audit events Burn Alting
2014-04-09 16:32 ` Eric Paris
2014-04-09 16:33 ` lists_todd
@ 2014-04-09 17:19 ` Steve Grubb
2014-04-10 0:16 ` Burn Alting
2014-04-10 1:26 ` Peter Moody
2 siblings, 2 replies; 9+ messages in thread
From: Steve Grubb @ 2014-04-09 17:19 UTC (permalink / raw)
To: linux-audit, burn
On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote:
> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?
I don't have one. My count is that there are 144 known events. I created a
testing tool, ausearch-test, that is located here:
http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz
It can mine your audit logs for one example of each kind of event to a file
that can later be used for testing. I have run it over and over from various
machines and doing stuff to provoke events such as the IMA events. Running the
aucoverage utility against my database shows I am missing 68. Of those, 18 are
in the ANOM_ category which is a place-holder for events to be used in a IDS
plugin still under development. There are 13 missing in the RESP_ category
because the IPS plugin is not using them yet. So, that leaves 37 real events
that I don't have in my collection.
This is the list of events I have never been able to generate:
Missing AVC_PATH
Missing CHUSER_ID
Missing CRYPTO_FAILURE_USER
Missing CRYPTO_LOGIN
Missing CRYPTO_LOGOUT
Missing CRYPTO_PARAM_CHANGE_USER
Missing CRYPTO_REPLAY_USER
Missing CRYPTO_TEST_USER
Missing DAC_CHECK
Missing DAEMON_ABORT
Missing INTEGRITY_DATA
Missing INTEGRITY_HASH
Missing INTEGRITY_METADATA
Missing INTEGRITY_RULE
Missing INTEGRITY_STATUS
Missing LABEL_OVERRIDE
Missing MAC_CIPSOV4_ADD
Missing MAC_CIPSOV4_DEL
Missing MAC_IPSEC_ADDSA
Missing MAC_IPSEC_ADDSPD
Missing MAC_IPSEC_DELSA
Missing MAC_IPSEC_DELSPD
Missing MAC_IPSEC_EVENT
Missing MAC_MAP_ADD
Missing MAC_MAP_DEL
Missing MAC_UNLBL_STCADD
Missing MAC_UNLBL_STCDEL
Missing NETFILTER_PKT
Missing ROLE_MODIFY
Missing ROLE_REMOVE
Missing SELINUX_ERR
Missing USER_LABELED_EXPORT
Missing USER_MAC_CONFIG_CHANGE
Missing USER_MAC_POLICY_LOAD
Missing USER_MGMT
Missing USER_SELINUX_ERR
Missing USER_UNLABELED_EXPORT
> Although turning on
>
> -a always,exit -F arch=b32 -S all
> and
> -a always,exit -F arch=b64 -S all
There is a test suite, audit-test, that you might want to know about. Its used
for Common Criteria certifications and can be found here:
http://sourceforge.net/projects/audit-test/
It can supposedly exercise the system to generate events. But I don't know if
it removes audit logs between tests to make finding the event under test easier
to find or not. But I have been thinking using it might be the best way to get
the events I am missing.
I know that you'll never get them all. Some are unused. Some have been
deprecated. Some can only be generated when using SE Linux in MLS mode with
labelled networking and printing. The Integrity events that I am missing are
in the IMA subsystem. I can see them in the kernel, but I have no idea how to
make them come out.
> for a while does tend to generate a lot of audit, but it's clearly not
> exhaustive so I am hoping we have some repositories that are shareable
> and one can test against.
For an exhaustive collection, you'd probable want to run without SE Linux
enabled, with targeted policy, with MLS policy, and probably with other LSM's
than SE Linux.
-Steve
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events
2014-04-09 17:19 ` Steve Grubb
@ 2014-04-10 0:16 ` Burn Alting
2014-04-10 1:26 ` Peter Moody
1 sibling, 0 replies; 9+ messages in thread
From: Burn Alting @ 2014-04-10 0:16 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
All,
I'll start going through these references to see how complete (based on
current mainstream Linux deployments) a set of events I can get and
report back.
Regards
Burn
On Wed, 2014-04-09 at 13:19 -0400, Steve Grubb wrote:
> On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote:
> > Does there exist a repository of audit events that could be used to test
> > changes to the audit parsing code?
>
> I don't have one. My count is that there are 144 known events. I created a
> testing tool, ausearch-test, that is located here:
>
> http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz
>
> It can mine your audit logs for one example of each kind of event to a file
> that can later be used for testing. I have run it over and over from various
> machines and doing stuff to provoke events such as the IMA events. Running the
> aucoverage utility against my database shows I am missing 68. Of those, 18 are
> in the ANOM_ category which is a place-holder for events to be used in a IDS
> plugin still under development. There are 13 missing in the RESP_ category
> because the IPS plugin is not using them yet. So, that leaves 37 real events
> that I don't have in my collection.
>
> This is the list of events I have never been able to generate:
>
> Missing AVC_PATH
> Missing CHUSER_ID
> Missing CRYPTO_FAILURE_USER
> Missing CRYPTO_LOGIN
> Missing CRYPTO_LOGOUT
> Missing CRYPTO_PARAM_CHANGE_USER
> Missing CRYPTO_REPLAY_USER
> Missing CRYPTO_TEST_USER
> Missing DAC_CHECK
> Missing DAEMON_ABORT
> Missing INTEGRITY_DATA
> Missing INTEGRITY_HASH
> Missing INTEGRITY_METADATA
> Missing INTEGRITY_RULE
> Missing INTEGRITY_STATUS
> Missing LABEL_OVERRIDE
> Missing MAC_CIPSOV4_ADD
> Missing MAC_CIPSOV4_DEL
> Missing MAC_IPSEC_ADDSA
> Missing MAC_IPSEC_ADDSPD
> Missing MAC_IPSEC_DELSA
> Missing MAC_IPSEC_DELSPD
> Missing MAC_IPSEC_EVENT
> Missing MAC_MAP_ADD
> Missing MAC_MAP_DEL
> Missing MAC_UNLBL_STCADD
> Missing MAC_UNLBL_STCDEL
> Missing NETFILTER_PKT
> Missing ROLE_MODIFY
> Missing ROLE_REMOVE
> Missing SELINUX_ERR
> Missing USER_LABELED_EXPORT
> Missing USER_MAC_CONFIG_CHANGE
> Missing USER_MAC_POLICY_LOAD
> Missing USER_MGMT
> Missing USER_SELINUX_ERR
> Missing USER_UNLABELED_EXPORT
>
> > Although turning on
> >
> > -a always,exit -F arch=b32 -S all
> > and
> > -a always,exit -F arch=b64 -S all
>
> There is a test suite, audit-test, that you might want to know about. Its used
> for Common Criteria certifications and can be found here:
>
> http://sourceforge.net/projects/audit-test/
>
> It can supposedly exercise the system to generate events. But I don't know if
> it removes audit logs between tests to make finding the event under test easier
> to find or not. But I have been thinking using it might be the best way to get
> the events I am missing.
>
> I know that you'll never get them all. Some are unused. Some have been
> deprecated. Some can only be generated when using SE Linux in MLS mode with
> labelled networking and printing. The Integrity events that I am missing are
> in the IMA subsystem. I can see them in the kernel, but I have no idea how to
> make them come out.
>
> > for a while does tend to generate a lot of audit, but it's clearly not
> > exhaustive so I am hoping we have some repositories that are shareable
> > and one can test against.
>
> For an exhaustive collection, you'd probable want to run without SE Linux
> enabled, with targeted policy, with MLS policy, and probably with other LSM's
> than SE Linux.
>
> -Steve
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events
2014-04-09 17:19 ` Steve Grubb
2014-04-10 0:16 ` Burn Alting
@ 2014-04-10 1:26 ` Peter Moody
2014-04-11 3:36 ` Mimi Zohar
1 sibling, 1 reply; 9+ messages in thread
From: Peter Moody @ 2014-04-10 1:26 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> Missing INTEGRITY_RULE
IMA with an 'audit' rule generates INTEGRITY_RULE messages.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events
2014-04-10 1:26 ` Peter Moody
@ 2014-04-11 3:36 ` Mimi Zohar
2014-04-11 14:07 ` Steve Grubb
0 siblings, 1 reply; 9+ messages in thread
From: Mimi Zohar @ 2014-04-11 3:36 UTC (permalink / raw)
To: Peter Moody; +Cc: linux-audit
On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote:
> On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
>
> > Missing INTEGRITY_RULE
>
> IMA with an 'audit' rule generates INTEGRITY_RULE messages.
> Missing INTEGRITY_DATA
Failure to collect or appraise file data.
(Requires the filesystem to be labeled w/security.ima and integrity
appraisal enabled.)
> Missing INTEGRITY_HASH
Not used.
> Missing INTEGRITY_METADATA
Before updating/removing 'security.evm' the xattr or modifying file
metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid,
i_mode, FSUUID, i_generation), EVM verifies the existing value.
(Requires the filesystem to be labeled w/security.evm and integrity
appraisal enabled.)
> Missing INTEGRITY_STATUS
Errors related to the IMA policy.
Mimi
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events
2014-04-11 3:36 ` Mimi Zohar
@ 2014-04-11 14:07 ` Steve Grubb
2014-04-11 15:26 ` Mimi Zohar
0 siblings, 1 reply; 9+ messages in thread
From: Steve Grubb @ 2014-04-11 14:07 UTC (permalink / raw)
To: Mimi Zohar, linux-audit
Hi Mimi,
On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote:
> On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote:
> > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> > > Missing INTEGRITY_RULE
> >
> > IMA with an 'audit' rule generates INTEGRITY_RULE messages.
For those of us not really up on IMA and just want to generate the event to
add to our collection, any tips on doing this?
> > Missing INTEGRITY_DATA
>
> Failure to collect or appraise file data.
> (Requires the filesystem to be labeled w/security.ima and integrity
> appraisal enabled.)
How would I cause this event to be generated if I wanted to see it?
> > Missing INTEGRITY_HASH
>
> Not used.
OK, I'll mark that deprecated.
> > Missing INTEGRITY_METADATA
>
> Before updating/removing 'security.evm' the xattr or modifying file
> metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid,
> i_mode, FSUUID, i_generation), EVM verifies the existing value.
> (Requires the filesystem to be labeled w/security.evm and integrity
> appraisal enabled.)
How to get it?
> > Missing INTEGRITY_STATUS
>
> Errors related to the IMA policy.
How to get it?
Thanks,
-Steve
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Repository of audit events
2014-04-11 14:07 ` Steve Grubb
@ 2014-04-11 15:26 ` Mimi Zohar
0 siblings, 0 replies; 9+ messages in thread
From: Mimi Zohar @ 2014-04-11 15:26 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Fri, 2014-04-11 at 10:07 -0400, Steve Grubb wrote:
> Hi Mimi,
>
> On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote:
> > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote:
> > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> > > > Missing INTEGRITY_RULE
> > >
> > > IMA with an 'audit' rule generates INTEGRITY_RULE messages.
>
> For those of us not really up on IMA and just want to generate the event to
> add to our collection, any tips on doing this?
Requires CONFIG_INTEGRITY_AUDIT=y to be configured and loading an IMA
policy* containing an audit rule (eg. audit func=BPRM_CHECK
mask=MAY_EXEC).
*Directions below for loading a policy.
> > > Missing INTEGRITY_DATA
> >
> > Failure to collect or appraise file data.
> > (Requires the filesystem to be labeled w/security.ima and integrity
> > appraisal enabled.)
>
> How would I cause this event to be generated if I wanted to see it?
Requires both CONFIG_IMA=y and CONFIG_IMA_APPRAISE=y to be enabled and
loading an IMA policy containing a measurement/appraisal rule (eg.
measure func=BPRM_CHECK, measure func=FILE_CHECK mask=MAY_READ uid=0,
audit func=BPRM_CHECK mask=MAY_EXEC). Both the boot command line
options 'ima_tcb' and 'ima_appraise_tcb' have these rules. Unlabeled
filesystems would require the additional boot command line option
'ima_appraise=fix'.
> > > Missing INTEGRITY_HASH
> >
> > Not used.
>
> OK, I'll mark that deprecated.
>
> > > Missing INTEGRITY_METADATA
> >
> > Before updating/removing 'security.evm' the xattr or modifying file
> > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid,
> > i_mode, FSUUID, i_generation), EVM verifies the existing value.
> > (Requires the filesystem to be labeled w/security.evm and integrity
> > appraisal enabled.)
>
> How to get it?
In addition to the IMA/IMA-appraisal config options, requires
CONFIG_EVM=y. Assuming you've created an EVM key and loaded it, EVM is
enabled. (dracut has an EVM module.) Unlabeled filesystems would
require the additional boot command line option 'ima_evm=fix'.
> > > Missing INTEGRITY_STATUS
> >
> > Errors related to the IMA policy.
>
> How to get it?
Directions for loading a policy: to load a policy or replace the boot
command line 'ima_tcb'/'ima_appraisal_tcb' policies, cat the new policy
to /sys/kernel/security/ima/config. The IMA LTP testsuite has examples.
Mimi
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2014-04-11 15:27 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-09 6:25 Repository of audit events Burn Alting
2014-04-09 16:32 ` Eric Paris
2014-04-09 16:33 ` lists_todd
2014-04-09 17:19 ` Steve Grubb
2014-04-10 0:16 ` Burn Alting
2014-04-10 1:26 ` Peter Moody
2014-04-11 3:36 ` Mimi Zohar
2014-04-11 14:07 ` Steve Grubb
2014-04-11 15:26 ` Mimi Zohar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.