Event generator

Event generator

[Burn Alting]

Does anyone know of an exhaustive auditd event generator.

I am aware of ausearch-test and audit-validation but I am looking for a
script or the like that will generate an exhaustive as possible set of
events - both success and failure.

Basically, I am looking at a script that, once an 'auditctl ... -S
all ...' has been enabled, will attempt to generate one of every
syscall. Both success/fail.

Something separate could do the the USER_, CRYPTO_ DAEMON_, SERVICE_,
CONFIG_ filewatch, etc events as well.

Thanks in advance.

Re: Event generator

[Paul Moore]

On Fri, Jan 20, 2017 at 8:04 AM, Burn Alting <burn@swtf.dyndns.org> wrote:
> Does anyone know of an exhaustive auditd event generator.
>
> I am aware of ausearch-test and audit-validation but I am looking for a
> script or the like that will generate an exhaustive as possible set of
> events - both success and failure.
>
> Basically, I am looking at a script that, once an 'auditctl ... -S
> all ...' has been enabled, will attempt to generate one of every
> syscall. Both success/fail.
>
> Something separate could do the the USER_, CRYPTO_ DAEMON_, SERVICE_,
> CONFIG_ filewatch, etc events as well.
>
> Thanks in advance.

The two audit test suites I'm aware of are the Common Criteria focused
audit-test[1] and the more recent, and much more meager
audit-testsuite[2] that we use for simple kernel patch validation and
regression testing.

[1] https://sourceforge.net/projects/audit-test
[2] https://github.com/linux-audit/audit-testsuite

-- 
paul moore
www.paul-moore.com

Re: Event generator

[Steve Grubb]

On Saturday, January 21, 2017 12:04:53 AM EST Burn Alting wrote:
> Does anyone know of an exhaustive auditd event generator.

There really isn't one. I have only been able to collect about 73 of the ~160 
record types. Some are really hard to generate such as the intergrity events. 
Some have barely been used like the responce events.
 
> I am aware of ausearch-test and audit-validation but I am looking for a
> script or the like that will generate an exhaustive as possible set of
> events - both success and failure.
> 
> Basically, I am looking at a script that, once an 'auditctl ... -S
> all ...' has been enabled, will attempt to generate one of every
> syscall. Both success/fail.

Nothing does that, but the Linux Test Project has a syscall test suite that 
should exercise almost all positive and negative. I don't think you want to do 
a auditctl -S all. That would be way too much. Also, some syscalls are 
deprecated and there just for legacy purposes. Glibc won't let you get to it. 
And there are syscalls that glibc does not support and you have to call via 
the syscall(3) function.

> Something separate could do the the USER_, CRYPTO_ DAEMON_, SERVICE_,
> CONFIG_ filewatch, etc events as well.

The audit test suite Paul mentioned will generate some of these events. 
However, Common Criteria testing is not exhaustive. It only covers events 
normally found in daily sysadmin activity.

I think it would be a big help if anyone were to create such a generator.

-Steve