Repository of audit events

Repository of audit events

[Burn Alting]

All,

Does there exist a repository of audit events that could be used to test
changes to the audit parsing code?

Although turning on 

-a always,exit -F arch=b32 -S all
and
-a always,exit -F arch=b64 -S all

for a while does tend to generate a lot of audit, but it's clearly not
exhaustive so I am hoping we have some repositories that are shareable
and one can test against.

Rgds

Re: Repository of audit events

[Eric Paris]

To the best of my knowledge there is no way to generate every record
type.  I did send sgrubb the beginnings of me trying to write a suite of
programs to exercise some of them for hopeful eventual inclusion in the
auparse checker tool...

I really think such a thing would be useful...

On Wed, 2014-04-09 at 16:25 +1000, Burn Alting wrote:
> All,
> 
> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?
> 
> Although turning on 
> 
> -a always,exit -F arch=b32 -S all
> and
> -a always,exit -F arch=b64 -S all
> 
> for a while does tend to generate a lot of audit, but it's clearly not
> exhaustive so I am hoping we have some repositories that are shareable
> and one can test against.
> 
> Rgds
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: Repository of audit events

[lists_todd]

On Apr 8, 2014, at 11:25 PM, Burn Alting <burn@swtf.dyndns.org> wrote:

> All,
> 
> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?
> 
> Although turning on 
> 
> -a always,exit -F arch=b32 -S all
> and
> -a always,exit -F arch=b64 -S all
> 
> for a while does tend to generate a lot of audit, but it's clearly not
> exhaustive so I am hoping we have some repositories that are shareable
> and one can test against.

If anyone has links, please share with the lists. I would appreciate the data sources as well.

I’ve started adding Linux audit analysis to my Mac-based tools, and more data for testing is always appreciated.

Todd

Re: Repository of audit events

[Steve Grubb]

On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote:
> Does there exist a repository of audit events that could be used to test
> changes to the audit parsing code?

I don't have one. My count is that there are 144 known events. I created a 
testing tool, ausearch-test, that is located here:

http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz

It can mine your audit logs for one example of each kind of event to a file 
that can later be used for testing. I have run it over and over from various 
machines and doing stuff to provoke events such as the IMA events. Running the 
aucoverage utility against my database shows I am missing 68. Of those, 18 are 
in the ANOM_ category which is a place-holder for events to be used in a IDS 
plugin still under development. There are 13 missing in the RESP_ category 
because the IPS plugin is not using them yet. So, that leaves 37 real events 
that I don't have in my collection.

This is the list of events I have never been able to generate:

Missing AVC_PATH
Missing CHUSER_ID
Missing CRYPTO_FAILURE_USER
Missing CRYPTO_LOGIN
Missing CRYPTO_LOGOUT
Missing CRYPTO_PARAM_CHANGE_USER
Missing CRYPTO_REPLAY_USER
Missing CRYPTO_TEST_USER
Missing DAC_CHECK
Missing DAEMON_ABORT
Missing INTEGRITY_DATA
Missing INTEGRITY_HASH
Missing INTEGRITY_METADATA
Missing INTEGRITY_RULE
Missing INTEGRITY_STATUS
Missing LABEL_OVERRIDE
Missing MAC_CIPSOV4_ADD
Missing MAC_CIPSOV4_DEL
Missing MAC_IPSEC_ADDSA
Missing MAC_IPSEC_ADDSPD
Missing MAC_IPSEC_DELSA
Missing MAC_IPSEC_DELSPD
Missing MAC_IPSEC_EVENT
Missing MAC_MAP_ADD
Missing MAC_MAP_DEL
Missing MAC_UNLBL_STCADD
Missing MAC_UNLBL_STCDEL
Missing NETFILTER_PKT
Missing ROLE_MODIFY
Missing ROLE_REMOVE
Missing SELINUX_ERR
Missing USER_LABELED_EXPORT
Missing USER_MAC_CONFIG_CHANGE
Missing USER_MAC_POLICY_LOAD
Missing USER_MGMT
Missing USER_SELINUX_ERR
Missing USER_UNLABELED_EXPORT

> Although turning on
> 
> -a always,exit -F arch=b32 -S all
> and
> -a always,exit -F arch=b64 -S all

There is a test suite, audit-test, that you might want to know about. Its used 
for Common Criteria certifications and can be found here:

http://sourceforge.net/projects/audit-test/

It can supposedly exercise the system to generate events. But I don't know if 
it removes audit logs between tests to make finding the event under test easier 
to find or not. But I have been thinking using it might be the best way to get 
the events I am missing.

I know that you'll never get them all. Some are unused. Some have been 
deprecated. Some can only be generated when using SE Linux in MLS mode with 
labelled networking and printing. The Integrity events that I am missing are 
in the IMA subsystem. I can see them in the kernel, but I have no idea how to 
make them come out.
 
> for a while does tend to generate a lot of audit, but it's clearly not
> exhaustive so I am hoping we have some repositories that are shareable
> and one can test against.

For an exhaustive collection, you'd probable want to run without SE Linux 
enabled, with targeted policy, with MLS policy, and probably with other LSM's 
than SE Linux.

-Steve

Re: Repository of audit events

[Burn Alting]

All,

I'll start going through these references to see how complete (based on
current mainstream Linux deployments) a set of events I can get and
report back.

Regards
Burn

On Wed, 2014-04-09 at 13:19 -0400, Steve Grubb wrote:
> On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote:
> > Does there exist a repository of audit events that could be used to test
> > changes to the audit parsing code?
> 
> I don't have one. My count is that there are 144 known events. I created a 
> testing tool, ausearch-test, that is located here:
> 
> http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz
> 
> It can mine your audit logs for one example of each kind of event to a file 
> that can later be used for testing. I have run it over and over from various 
> machines and doing stuff to provoke events such as the IMA events. Running the 
> aucoverage utility against my database shows I am missing 68. Of those, 18 are 
> in the ANOM_ category which is a place-holder for events to be used in a IDS 
> plugin still under development. There are 13 missing in the RESP_ category 
> because the IPS plugin is not using them yet. So, that leaves 37 real events 
> that I don't have in my collection.
> 
> This is the list of events I have never been able to generate:
> 
> Missing AVC_PATH
> Missing CHUSER_ID
> Missing CRYPTO_FAILURE_USER
> Missing CRYPTO_LOGIN
> Missing CRYPTO_LOGOUT
> Missing CRYPTO_PARAM_CHANGE_USER
> Missing CRYPTO_REPLAY_USER
> Missing CRYPTO_TEST_USER
> Missing DAC_CHECK
> Missing DAEMON_ABORT
> Missing INTEGRITY_DATA
> Missing INTEGRITY_HASH
> Missing INTEGRITY_METADATA
> Missing INTEGRITY_RULE
> Missing INTEGRITY_STATUS
> Missing LABEL_OVERRIDE
> Missing MAC_CIPSOV4_ADD
> Missing MAC_CIPSOV4_DEL
> Missing MAC_IPSEC_ADDSA
> Missing MAC_IPSEC_ADDSPD
> Missing MAC_IPSEC_DELSA
> Missing MAC_IPSEC_DELSPD
> Missing MAC_IPSEC_EVENT
> Missing MAC_MAP_ADD
> Missing MAC_MAP_DEL
> Missing MAC_UNLBL_STCADD
> Missing MAC_UNLBL_STCDEL
> Missing NETFILTER_PKT
> Missing ROLE_MODIFY
> Missing ROLE_REMOVE
> Missing SELINUX_ERR
> Missing USER_LABELED_EXPORT
> Missing USER_MAC_CONFIG_CHANGE
> Missing USER_MAC_POLICY_LOAD
> Missing USER_MGMT
> Missing USER_SELINUX_ERR
> Missing USER_UNLABELED_EXPORT
> 
> > Although turning on
> > 
> > -a always,exit -F arch=b32 -S all
> > and
> > -a always,exit -F arch=b64 -S all
> 
> There is a test suite, audit-test, that you might want to know about. Its used 
> for Common Criteria certifications and can be found here:
> 
> http://sourceforge.net/projects/audit-test/
> 
> It can supposedly exercise the system to generate events. But I don't know if 
> it removes audit logs between tests to make finding the event under test easier 
> to find or not. But I have been thinking using it might be the best way to get 
> the events I am missing.
> 
> I know that you'll never get them all. Some are unused. Some have been 
> deprecated. Some can only be generated when using SE Linux in MLS mode with 
> labelled networking and printing. The Integrity events that I am missing are 
> in the IMA subsystem. I can see them in the kernel, but I have no idea how to 
> make them come out.
>  
> > for a while does tend to generate a lot of audit, but it's clearly not
> > exhaustive so I am hoping we have some repositories that are shareable
> > and one can test against.
> 
> For an exhaustive collection, you'd probable want to run without SE Linux 
> enabled, with targeted policy, with MLS policy, and probably with other LSM's 
> than SE Linux.
> 
> -Steve

Re: Repository of audit events

[Peter Moody]

On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:

> Missing INTEGRITY_RULE

IMA with an 'audit' rule generates INTEGRITY_RULE messages.

Re: Repository of audit events

[Mimi Zohar]

On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote:
> On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> 
> > Missing INTEGRITY_RULE
> 
> IMA with an 'audit' rule generates INTEGRITY_RULE messages.

> Missing INTEGRITY_DATA

Failure to collect or appraise file data.
(Requires the filesystem to be labeled w/security.ima and integrity
appraisal enabled.)

> Missing INTEGRITY_HASH

Not used.

> Missing INTEGRITY_METADATA

Before updating/removing 'security.evm' the xattr or modifying file
metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid,
i_mode, FSUUID, i_generation), EVM verifies the existing value.
(Requires the filesystem to be labeled w/security.evm and integrity
appraisal enabled.)
 
> Missing INTEGRITY_STATUS

Errors related to the IMA policy.

Mimi

Re: Repository of audit events

[Steve Grubb]

Hi Mimi,

On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote:
> On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote:
> > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> > > Missing INTEGRITY_RULE
> > 
> > IMA with an 'audit' rule generates INTEGRITY_RULE messages.

For those of us not really up on IMA and just want to generate the event to 
add to our collection, any tips on doing this?

> > Missing INTEGRITY_DATA
> 
> Failure to collect or appraise file data.
> (Requires the filesystem to be labeled w/security.ima and integrity
> appraisal enabled.)

How would I cause this event to be generated if I wanted to see it?

> > Missing INTEGRITY_HASH
> 
> Not used.

OK, I'll mark that deprecated.

> > Missing INTEGRITY_METADATA
> 
> Before updating/removing 'security.evm' the xattr or modifying file
> metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid,
> i_mode, FSUUID, i_generation), EVM verifies the existing value.
> (Requires the filesystem to be labeled w/security.evm and integrity
> appraisal enabled.)

How to get it?

> > Missing INTEGRITY_STATUS
> 
> Errors related to the IMA policy.

How to get it?

Thanks,
-Steve

Re: Repository of audit events

[Mimi Zohar]

On Fri, 2014-04-11 at 10:07 -0400, Steve Grubb wrote: 
> Hi Mimi,
> 
> On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote:
> > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote:
> > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> > > > Missing INTEGRITY_RULE
> > > 
> > > IMA with an 'audit' rule generates INTEGRITY_RULE messages.
> 
> For those of us not really up on IMA and just want to generate the event to 
> add to our collection, any tips on doing this?

Requires CONFIG_INTEGRITY_AUDIT=y to be configured and loading an IMA
policy* containing an audit rule (eg. audit func=BPRM_CHECK
mask=MAY_EXEC).

*Directions below for loading a policy.

> > > Missing INTEGRITY_DATA
> > 
> > Failure to collect or appraise file data.
> > (Requires the filesystem to be labeled w/security.ima and integrity
> > appraisal enabled.)
> 
> How would I cause this event to be generated if I wanted to see it?

Requires both CONFIG_IMA=y and CONFIG_IMA_APPRAISE=y to be enabled and
loading an IMA policy containing a measurement/appraisal rule (eg.
measure func=BPRM_CHECK, measure func=FILE_CHECK mask=MAY_READ uid=0,
audit func=BPRM_CHECK mask=MAY_EXEC).  Both the boot command line
options 'ima_tcb' and 'ima_appraise_tcb' have these rules.  Unlabeled
filesystems would require the additional boot command line option
'ima_appraise=fix'.

> > > Missing INTEGRITY_HASH
> > 
> > Not used.
> 
> OK, I'll mark that deprecated.
> 
> > > Missing INTEGRITY_METADATA
> > 
> > Before updating/removing 'security.evm' the xattr or modifying file
> > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid,
> > i_mode, FSUUID, i_generation), EVM verifies the existing value.
> > (Requires the filesystem to be labeled w/security.evm and integrity
> > appraisal enabled.)
> 
> How to get it?

In addition to the IMA/IMA-appraisal config options, requires
CONFIG_EVM=y.  Assuming you've created an EVM key and loaded it, EVM is
enabled.  (dracut has an EVM module.)  Unlabeled filesystems would
require the additional boot command line option 'ima_evm=fix'.

> > > Missing INTEGRITY_STATUS
> > 
> > Errors related to the IMA policy.
> 
> How to get it?

Directions for loading a policy: to load a policy or replace the boot
command line 'ima_tcb'/'ima_appraisal_tcb' policies, cat the new policy
to /sys/kernel/security/ima/config.  The IMA LTP testsuite has examples.

Mimi