July 2017 - Linux-audit - Linux-Audit List Archives

[PATCH] audit: update the audit info in MAINTAINERS

by Paul Moore

From: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> --- MAINTAINERS | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 38d3e4ed7208..31154f312596 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2312,9 +2312,10 @@ AUDIT SUBSYSTEM M: Paul Moore <paul(a)paul-moore.com> M: Eric Paris <eparis(a)redhat.com> L: linux-audit(a)redhat.com (moderated for non-subscribers) -W: http://people.redhat.com/sgrubb/audit/ -T: git git://git.infradead.org/users/pcmoore/audit -S: Maintained +W: https://github.com/linux-audit +W: https://people.redhat.com/sgrubb/audit +T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git +S: Supported F: include/linux/audit.h F: include/uapi/linux/audit.h F: kernel/audit*

7 years, 4 months

1
0
0 / 0

Audit kernel repository moving to kernel.org

by Paul Moore

Hello, A quick note that I'm moving the audit kernel repository from infradead.org to kernel.org, please update your trees accordingly (hint: "git remote set-url ..."). * git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git * https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git -- paul moore www.paul-moore.com

7 years, 4 months

1
0
0 / 0

[RFC PATCH] specs: update message dictionary with source column

by Richard Guy Briggs

Add a column to indicate the source of the message, including indicating whether or not it is related to syscalls. Column name: SOURCE Key: CTL Control messages, usually initiated by audit daemon. DEP Deprecated message types IND Independent kernel message USR User message SC System-call related kernel message Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- specs/messages/message-dictionary.csv | 393 +++++++++++++++++---------------- 1 files changed, 197 insertions(+), 196 deletions(-) diff --git a/specs/messages/message-dictionary.csv b/specs/messages/message-dictionary.csv index 9831236..a0f8983 100644 --- a/specs/messages/message-dictionary.csv +++ b/specs/messages/message-dictionary.csv @@ -1,196 +1,197 @@ -MACRO NAME,VALUE,DESCRIPITON -AUDIT_GET,1000,Get status -AUDIT_SET,1001,Set status (enable/disable/auditd) -AUDIT_LIST,1002,List syscall rules -- deprecated -AUDIT_ADD,1003,Add syscall rule -- deprecated -AUDIT_DEL,1004,Delete syscall rule -- deprecated -AUDIT_USER,1005,Message from userspace -- deprecated -AUDIT_LOGIN,1006,Define the login ID and information -AUDIT_WATCH_INS,1007,Insert file/dir watch entry -AUDIT_WATCH_REM,1008,Remove file/dir watch entry -AUDIT_WATCH_LIST,1009,List all file/dir watches -AUDIT_SIGNAL_INFO,1010,Get info about sender of signal to auditd -AUDIT_ADD_RULE,1011,Add syscall filtering rule -AUDIT_DEL_RULE,1012,Delete syscall filtering rule -AUDIT_LIST_RULES,1013,List syscall filtering rules -AUDIT_TRIM,1014,Trim junk from watched tree -AUDIT_MAKE_EQUIV,1015,Append to watched tree -AUDIT_TTY_GET,1016,Get TTY auditing status -AUDIT_TTY_SET,1017,Set TTY auditing status -AUDIT_SET_FEATURE,1018,Turn an audit feature on or off -AUDIT_GET_FEATURE,1019,Get which features are enabled -AUDIT_USER_AUTH,1100,User system access authentication -AUDIT_USER_ACCT,1101,User system access authorization -AUDIT_USER_MGMT,1102,User account attribute change -AUDIT_CRED_ACQ,1103,User credential acquired -AUDIT_CRED_DISP,1104,User credential disposed -AUDIT_USER_START,1105,User session start -AUDIT_USER_END,1106,User session end -AUDIT_USER_AVC,1107,User space AVC (Access Vector Cache) message -AUDIT_USER_CHAUTHTOK,1108,User account password or PIN changed -AUDIT_USER_ERR,1109,User account state error -AUDIT_CRED_REFR,1110,User credential refreshed -AUDIT_USYS_CONFIG,1111,User space system config change -AUDIT_USER_LOGIN,1112,User has logged in -AUDIT_USER_LOGOUT,1113,User has logged out -AUDIT_ADD_USER,1114,User account added -AUDIT_DEL_USER,1115,User account deleted -AUDIT_ADD_GROUP,1116,Group account added -AUDIT_DEL_GROUP,1117,Group account deleted -AUDIT_DAC_CHECK,1118,User space DAC check results -AUDIT_CHGRP_ID,1119,User space group ID changed -AUDIT_TEST,1120,Used for test success messages -AUDIT_TRUSTED_APP,1121,Trusted app msg - freestyle text -AUDIT_USER_SELINUX_ERR,1122,SELinux user space error -AUDIT_USER_CMD,1123,User shell command and args -AUDIT_USER_TTY,1124,Non-ICANON TTY input meaning -AUDIT_CHUSER_ID,1125,Changed user ID supplemental data -AUDIT_GRP_AUTH,1126,Authentication for group password -AUDIT_SYSTEM_BOOT,1127,System boot -AUDIT_SYSTEM_SHUTDOWN,1128,System shutdown -AUDIT_SYSTEM_RUNLEVEL,1129,System runlevel change -AUDIT_SERVICE_START,1130,Service (daemon) start -AUDIT_SERVICE_STOP,1131,Service (daemon) stop -AUDIT_GRP_MGMT,1132,Group account attribute was modified -AUDIT_GRP_CHAUTHTOK,1133,Group account password or PIN changed -AUDIT_MAC_CHECK,1134,User space MAC (Mandatory Access Control) decision results -AUDIT_ACCT_LOCK,1135,User's account locked by admin -AUDIT_ACCT_UNLOCK,1136,User's account unlocked by admin -AUDIT_DAEMON_START,1200,Daemon startup record -AUDIT_DAEMON_END,1201,Daemon normal stop record -AUDIT_DAEMON_ABORT,1202,Daemon error stop record -AUDIT_DAEMON_CONFIG,1203,Daemon config change -AUDIT_DAEMON_RECONFIG,1204,Auditd should reconfigure -AUDIT_DAEMON_ROTATE,1205,Auditd should rotate logs -AUDIT_DAEMON_RESUME,1206,Auditd should resume logging -AUDIT_DAEMON_ACCEPT,1207,Auditd accepted remote connection -AUDIT_DAEMON_CLOSE,1208,Auditd closed remote connection -AUDIT_DAEMON_ERR,1209,Auditd internal error -AUDIT_SYSCALL,1300,System call event information -AUDIT_FS_WATCH,1301,Deprecated -AUDIT_PATH,1302,Filename path information -AUDIT_IPC,1303,System call IPC (Inter-Process Communication) object -AUDIT_SOCKETCALL,1304,System call socketcall arguments -AUDIT_CONFIG_CHANGE,1305,Audit system configuration change -AUDIT_SOCKADDR,1306,System call socket address argument information -AUDIT_CWD,1307,Current working directory -AUDIT_EXECVE,1309,Arguments supplied to the execve system call -AUDIT_IPC_SET_PERM,1311,IPC new permissions record type -AUDIT_MQ_OPEN,1312,POSIX MQ open record type -AUDIT_MQ_SENDRECV,1313,POSIX MQ send/receive record type -AUDIT_MQ_NOTIFY,1314,POSIX MQ notify record type -AUDIT_MQ_GETSETATTR,1315,POSIX MQ get/set attribute record type -AUDIT_KERNEL_OTHER,1316,For use by 3rd party modules -AUDIT_FD_PAIR,1317,Information for pipe and socketpair system calls -AUDIT_OBJ_PID,1318,ptrace target -AUDIT_TTY,1319,Input on an administrative TTY -AUDIT_EOE,1320,End of multi-record event -AUDIT_BPRM_FCAPS,1321,Information about file system capabilities increasing permissions -AUDIT_CAPSET,1322,Record showing argument to sys_capset setting process-based capabilities -AUDIT_MMAP,1323,Mmap system call file descriptor and flags -AUDIT_NETFILTER_PKT,1324,Packets traversing netfilter chains -AUDIT_NETFILTER_CFG,1325,Netfilter chain modifications -AUDIT_SECCOMP,1326,Secure Computing event -AUDIT_PROCTITLE,1327,Process Title info -AUDIT_FEATURE_CHANGE,1328,Audit feature changed value -AUDIT_REPLACE,1329,Replace auditd if this probe unanswerd -AUDIT_KERN_MODULE,1330,Kernel Module events -AUDIT_AVC,1400,SELinux AVC (Access Vector Cache) denial or grant -AUDIT_SELINUX_ERR,1401,Internal SELinux errors -AUDIT_AVC_PATH,1402,"dentry, vfsmount pair from AVC" -AUDIT_MAC_POLICY_LOAD,1403,SELinux Policy file load -AUDIT_MAC_STATUS,1404,"SELinux mode (enforcing, permissive, off) changed" -AUDIT_MAC_CONFIG_CHANGE,1405,SELinux Boolean value modification -AUDIT_MAC_UNLBL_ALLOW,1406,NetLabel: allow unlabeled traffic -AUDIT_MAC_CIPSOV4_ADD,1407,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry -AUDIT_MAC_CIPSOV4_DEL,1408,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry -AUDIT_MAC_MAP_ADD,1409,NetLabel: add LSM (Linux Security Module) domain mapping -AUDIT_MAC_MAP_DEL,1410,NetLabel: del LSM (Linux Security Module) domain mapping -AUDIT_MAC_IPSEC_ADDSA,1411,Not used -AUDIT_MAC_IPSEC_DELSA,1412,Not used -AUDIT_MAC_IPSEC_ADDSPD,1413,Not used -AUDIT_MAC_IPSEC_DELSPD,1414,Not used -AUDIT_MAC_IPSEC_EVENT,1415,Audit an IPsec event -AUDIT_MAC_UNLBL_STCADD,1416,NetLabel: add a static label -AUDIT_MAC_UNLBL_STCDEL,1417,NetLabel: del a static label -AUDIT_MAC_CALIPSO_ADD,1418,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry -AUDIT_MAC_CALIPSO_DEL,1419,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry -AUDIT_AA,1500, -AUDIT_APPARMOR_AUDIT,1501, -AUDIT_APPARMOR_ALLOWED,1502, -AUDIT_APPARMOR_DENIED,1503, -AUDIT_APPARMOR_HINT,1504, -AUDIT_APPARMOR_STATUS,1505, -AUDIT_APPARMOR_ERROR,1506, -AUDIT_ANOM_PROMISCUOUS,1700,Device changed promiscuous mode -AUDIT_ANOM_ABEND,1701,Process ended abnormally -AUDIT_ANOM_LINK,1702,Suspicious use of file links -AUDIT_INTEGRITY_DATA,1800,Data integrity verification -AUDIT_INTEGRITY_METADATA,1801,Metadata integrity verification -AUDIT_INTEGRITY_STATUS,1802,Integrity enable status -AUDIT_INTEGRITY_HASH,1803,Integrity HASH type -AUDIT_INTEGRITY_PCR,1804,PCR (Platform Configuration Register) invalidation messages -AUDIT_INTEGRITY_RULE,1805,Policy rule -AUDIT_KERNEL,2000,Kernel audit status -AUDIT_ANOM_LOGIN_FAILURES,2100,Failed login limit reached -AUDIT_ANOM_LOGIN_TIME,2101,Login attempted at bad time -AUDIT_ANOM_LOGIN_SESSIONS,2102,Maximum concurrent sessions reached -AUDIT_ANOM_LOGIN_ACCT,2103,Login attempted to watched account -AUDIT_ANOM_LOGIN_LOCATION,2104,Login from forbidden location -AUDIT_ANOM_MAX_DAC,2105,Max DAC (Discretionary Access Control) failures reached -AUDIT_ANOM_MAX_MAC,2106,Max MAC (Mandatory Access Control) failures reached -AUDIT_ANOM_AMTU_FAIL,2107,AMTU (Abstract Machine Test Utility) failure -AUDIT_ANOM_RBAC_FAIL,2108,RBAC (Role-Based Access Control) self test failure -AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,RBAC (Role-Based Access Control) file integrity test failure -AUDIT_ANOM_CRYPTO_FAIL,2110,Crypto system test failure -AUDIT_ANOM_ACCESS_FS,2111,Access of file or directory ended abnormally -AUDIT_ANOM_EXEC,2112,Execution of file ended abnormally -AUDIT_ANOM_MK_EXEC,2113,Make an executable -AUDIT_ANOM_ADD_ACCT,2114,Adding a user account ended abnormally -AUDIT_ANOM_DEL_ACCT,2115,Deleting a user account ended abnormally -AUDIT_ANOM_MOD_ACCT,2116,Changing an account ended abnormally -AUDIT_ANOM_ROOT_TRANS,2117,User became root -AUDIT_RESP_ANOMALY,2200,Anomaly not reacted to -AUDIT_RESP_ALERT,2201,Alert email was sent -AUDIT_RESP_KILL_PROC,2202,Kill program -AUDIT_RESP_TERM_ACCESS,2203,Terminate session -AUDIT_RESP_ACCT_REMOTE,2204,User account locked from remote access -AUDIT_RESP_ACCT_LOCK_TIMED,2205,User account locked for time -AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,User account unlocked from time -AUDIT_RESP_ACCT_LOCK,2207,User account was locked -AUDIT_RESP_TERM_LOCK,2208,Terminal was locked -AUDIT_RESP_SEBOOL,2209,Set an SELinux boolean -AUDIT_RESP_EXEC,2210,Execute a script -AUDIT_RESP_SINGLE,2211,Go to single user mode -AUDIT_RESP_HALT,2212,Take the system down -AUDIT_USER_ROLE_CHANGE,2300,User changed to a new SELinux role -AUDIT_ROLE_ASSIGN,2301,Administrator assigned user to SELinux role -AUDIT_ROLE_REMOVE,2302,Administrator removed user from SELinux role -AUDIT_LABEL_OVERRIDE,2303,Administrator is overriding a SELinux label -AUDIT_LABEL_LEVEL_CHANGE,2304,Object level SELinux label modified -AUDIT_USER_LABELED_EXPORT,2305,Object exported with SELinux label -AUDIT_USER_UNLABELED_EXPORT,2306,Object exported without SELinux label -AUDIT_DEV_ALLOC,2307,Device was allocated -AUDIT_DEV_DEALLOC,2308,Device was deallocated -AUDIT_FS_RELABEL,2309,Filesystem relabeled -AUDIT_USER_MAC_POLICY_LOAD,2310,Usersapce daemon loaded SELinux policy -AUDIT_ROLE_MODIFY,2311,Administrator modified an SELinux role -AUDIT_USER_MAC_CONFIG_CHANGE,2312,Change made to MAC (Mandatory Access Control) policy -AUDIT_CRYPTO_TEST_USER,2400,Cryptographic test results -AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,Cryptographic attribute change -AUDIT_CRYPTO_LOGIN,2402,Cryptographic officer login -AUDIT_CRYPTO_LOGOUT,2403,Cryptographic officer logout -AUDIT_CRYPTO_KEY_USER,2404,"Create, delete, negotiate cryptographic key identifier" -AUDIT_CRYPTO_FAILURE_USER,2405,"Fail decrypt, encrypt or randomize operation" -AUDIT_CRYPTO_REPLAY_USER,2406,Cryptographic replay attack detected -AUDIT_CRYPTO_SESSION,2407,Parameters set during TLS session establishment -AUDIT_CRYPTO_IKE_SA,2408,Parameters related to IKE SA -AUDIT_CRYPTO_IPSEC_SA,2409,Parameters related to IPSEC SA -AUDIT_VIRT_CONTROL,2500,"Start, Pause, Stop VM" -AUDIT_VIRT_RESOURCE,2501,Resource assignment -AUDIT_VIRT_MACHINE_ID,2502,Binding of label to VM -AUDIT_VIRT_INTEGRITY_CHECK,2503,Guest integrity results -AUDIT_VIRT_CREATE,2504,Creation of guest image -AUDIT_VIRT_DESTROY,2505,Destruction of guest image -AUDIT_VIRT_MIGRATE_IN,2506,Inbound guest migration info -AUDIT_VIRT_MIGRATE_OUT,2507,Outbound guest migration info +MACRO NAME,VALUE,SOURCE,DESCRIPITON +AUDIT_GET,1000,CTL,Get status +AUDIT_SET,1001,CTL,Set status (enable/disable/auditd) +AUDIT_LIST,1002,DEP,List syscall rules -- deprecated +AUDIT_ADD,1003,DEP,Add syscall rule -- deprecated +AUDIT_DEL,1004,DEP,Delete syscall rule -- deprecated +AUDIT_USER,1005,DEP,Message from userspace -- deprecated +AUDIT_LOGIN,1006,IND,Define the login ID and information +AUDIT_WATCH_INS,1007,DEP,Insert file/dir watch entry +AUDIT_WATCH_REM,1008,DEP,Remove file/dir watch entry +AUDIT_WATCH_LIST,1009,DEP,List all file/dir watches +AUDIT_SIGNAL_INFO,1010,CTL,Get info about sender of signal to auditd +AUDIT_ADD_RULE,1011,CTL,Add syscall filtering rule +AUDIT_DEL_RULE,1012,CTL,Delete syscall filtering rule +AUDIT_LIST_RULES,1013,CTL,List syscall filtering rules +AUDIT_TRIM,1014,CTL,Trim junk from watched tree +AUDIT_MAKE_EQUIV,1015,CTL,Append to watched tree +AUDIT_TTY_GET,1016,CTL,Get TTY auditing status +AUDIT_TTY_SET,1017,CTL,Set TTY auditing status +AUDIT_SET_FEATURE,1018,CTL,Turn an audit feature on or off +AUDIT_GET_FEATURE,1019,CTL,Get which features are enabled +AUDIT_USER_AUTH,1100,USR,User system access authentication +AUDIT_USER_ACCT,1101,USR,User system access authorization +AUDIT_USER_MGMT,1102,USR,User account attribute change +AUDIT_CRED_ACQ,1103,USR,User credential acquired +AUDIT_CRED_DISP,1104,USR,User credential disposed +AUDIT_USER_START,1105,USR,User session start +AUDIT_USER_END,1106,USR,User session end +AUDIT_USER_AVC,1107,USR,User space AVC (Access Vector Cache) message +AUDIT_USER_CHAUTHTOK,1108,USR,User account password or PIN changed +AUDIT_USER_ERR,1109,USR,User account state error +AUDIT_CRED_REFR,1110,USR,User credential refreshed +AUDIT_USYS_CONFIG,1111,USR,User space system config change +AUDIT_USER_LOGIN,1112,USR,User has logged in +AUDIT_USER_LOGOUT,1113,USR,User has logged out +AUDIT_ADD_USER,1114,USR,User account added +AUDIT_DEL_USER,1115,USR,User account deleted +AUDIT_ADD_GROUP,1116,USR,Group account added +AUDIT_DEL_GROUP,1117,USR,Group account deleted +AUDIT_DAC_CHECK,1118,USR,User space DAC check results +AUDIT_CHGRP_ID,1119,USR,User space group ID changed +AUDIT_TEST,1120,USR,Used for test success messages +AUDIT_TRUSTED_APP,1121,USR,Trusted app msg - freestyle text +AUDIT_USER_SELINUX_ERR,1122,USR,SELinux user space error +AUDIT_USER_CMD,1123,USR,User shell command and args +AUDIT_USER_TTY,1124,USR,Non-ICANON TTY input meaning +AUDIT_CHUSER_ID,1125,USR,Changed user ID supplemental data +AUDIT_GRP_AUTH,1126,USR,Authentication for group password +AUDIT_SYSTEM_BOOT,1127,USR,System boot +AUDIT_SYSTEM_SHUTDOWN,1128,USR,System shutdown +AUDIT_SYSTEM_RUNLEVEL,1129,USR,System runlevel change +AUDIT_SERVICE_START,1130,USR,Service (daemon) start +AUDIT_SERVICE_STOP,1131,USR,Service (daemon) stop +AUDIT_GRP_MGMT,1132,USR,Group account attribute was modified +AUDIT_GRP_CHAUTHTOK,1133,USR,Group account password or PIN changed +AUDIT_MAC_CHECK,1134,USR,User space MAC (Mandatory Access Control) decision results +AUDIT_ACCT_LOCK,1135,USR,User's account locked by admin +AUDIT_ACCT_UNLOCK,1136,USR,User's account unlocked by admin +AUDIT_DAEMON_START,1200,USR,Daemon startup record +AUDIT_DAEMON_END,1201,USR,Daemon normal stop record +AUDIT_DAEMON_ABORT,1202,USR,Daemon error stop record +AUDIT_DAEMON_CONFIG,1203,USR,Daemon config change +AUDIT_DAEMON_RECONFIG,1204,USR,Auditd should reconfigure +AUDIT_DAEMON_ROTATE,1205,USR,Auditd should rotate logs +AUDIT_DAEMON_RESUME,1206,USR,Auditd should resume logging +AUDIT_DAEMON_ACCEPT,1207,USR,Auditd accepted remote connection +AUDIT_DAEMON_CLOSE,1208,USR,Auditd closed remote connection +AUDIT_DAEMON_ERR,1209,USR,Auditd internal error +AUDIT_SYSCALL,1300,SC,System call event information +AUDIT_FS_WATCH,1301,DEP,Deprecated +AUDIT_PATH,1302,SC,Filename path information +AUDIT_IPC,1303,SC,System call IPC (Inter-Process Communication) object +AUDIT_SOCKETCALL,1304,SC,System call socketcall arguments +AUDIT_CONFIG_CHANGE,1305,IND,Audit system configuration change +AUDIT_SOCKADDR,1306,SC,System call socket address argument information +AUDIT_CWD,1307,SC,Current working directory +AUDIT_EXECVE,1309,SC,Arguments supplied to the execve system call +AUDIT_IPC_SET_PERM,1311,SC,IPC new permissions record type +AUDIT_MQ_OPEN,1312,SC,POSIX MQ open record type +AUDIT_MQ_SENDRECV,1313,SC,POSIX MQ send/receive record type +AUDIT_MQ_NOTIFY,1314,SC,POSIX MQ notify record type +AUDIT_MQ_GETSETATTR,1315,SC,POSIX MQ get/set attribute record type +AUDIT_KERNEL_OTHER,1316,IND,For use by 3rd party modules +AUDIT_FD_PAIR,1317,SC,Information for pipe and socketpair system calls +AUDIT_OBJ_PID,1318,SC,ptrace target +AUDIT_TTY,1319,IND,Input on an administrative TTY +AUDIT_EOE,1320,CTL,End of multi-record event +AUDIT_BPRM_FCAPS,1321,SC,Information about file system capabilities increasing permissions +AUDIT_CAPSET,1322,SC,Record showing argument to sys_capset setting process-based capabilities +AUDIT_MMAP,1323,SC,Mmap system call file descriptor and flags +AUDIT_NETFILTER_PKT,1324,IND,Packets traversing netfilter chains +AUDIT_NETFILTER_CFG,1325,IND/SC,Netfilter chain modifications +AUDIT_SECCOMP,1326,IND,Secure Computing event +AUDIT_PROCTITLE,1327,SC,Process Title info +AUDIT_FEATURE_CHANGE,1328,IND,Audit feature changed value +AUDIT_REPLACE,1329,CTL,Replace auditd if this probe unanswerd +AUDIT_KERN_MODULE,1330,SC,Kernel Module events +AUDIT_AVC,1400,SC,SELinux AVC (Access Vector Cache) denial or grant +AUDIT_SELINUX_ERR,1401,SC,Internal SELinux errors +AUDIT_AVC_PATH,1402,SC,"dentry, vfsmount pair from AVC" +AUDIT_MAC_POLICY_LOAD,1403,SC,SELinux Policy file load +AUDIT_MAC_STATUS,1404,SC,"SELinux mode (enforcing, permissive, off) changed" +AUDIT_MAC_CONFIG_CHANGE,1405,SC,SELinux Boolean value modification +AUDIT_MAC_UNLBL_ALLOW,1406,SC,NetLabel: allow unlabeled traffic +AUDIT_MAC_CIPSOV4_ADD,1407,SC,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry +AUDIT_MAC_CIPSOV4_DEL,1408,SC,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry +AUDIT_MAC_MAP_ADD,1409,SC,NetLabel: add LSM (Linux Security Module) domain mapping +AUDIT_MAC_MAP_DEL,1410,SC,NetLabel: del LSM (Linux Security Module) domain mapping +AUDIT_MAC_IPSEC_ADDSA,1411,DEP,Not used +AUDIT_MAC_IPSEC_DELSA,1412,DEP,Not used +AUDIT_MAC_IPSEC_ADDSPD,1413,DEP,Not used +AUDIT_MAC_IPSEC_DELSPD,1414,DEP,Not used +AUDIT_MAC_IPSEC_EVENT,1415,SC,Audit an IPsec event +AUDIT_MAC_UNLBL_STCADD,1416,SC,NetLabel: add a static label +AUDIT_MAC_UNLBL_STCDEL,1417,SC,NetLabel: del a static label +AUDIT_MAC_CALIPSO_ADD,1418,SC,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry +AUDIT_MAC_CALIPSO_DEL,1419,SC,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry +AUDIT_AA,1500,, +AUDIT_APPARMOR_AUDIT,1501,SC, +AUDIT_APPARMOR_ALLOWED,1502,SC, +AUDIT_APPARMOR_DENIED,1503,SC, +AUDIT_APPARMOR_HINT,1504,SC, +AUDIT_APPARMOR_STATUS,1505,SC, +AUDIT_APPARMOR_ERROR,1506,SC, +AUDIT_APPARMOR_KILL,enum1507,SC, +AUDIT_ANOM_PROMISCUOUS,1700,SC/IND,Device changed promiscuous mode +AUDIT_ANOM_ABEND,1701,IND,Process ended abnormally +AUDIT_ANOM_LINK,1702,SC?,Suspicious use of file links +AUDIT_INTEGRITY_DATA,1800,SC,Data integrity verification +AUDIT_INTEGRITY_METADATA,1801,SC,Metadata integrity verification +AUDIT_INTEGRITY_STATUS,1802,SC,Integrity enable status +AUDIT_INTEGRITY_HASH,1803,SC,Integrity HASH type +AUDIT_INTEGRITY_PCR,1804,SC,PCR (Platform Configuration Register) invalidation messages +AUDIT_INTEGRITY_RULE,1805,SC/IND,Policy rule +AUDIT_KERNEL,2000,IND,Kernel audit status +AUDIT_ANOM_LOGIN_FAILURES,2100,USR,Failed login limit reached +AUDIT_ANOM_LOGIN_TIME,2101,USR,Login attempted at bad time +AUDIT_ANOM_LOGIN_SESSIONS,2102,USR,Maximum concurrent sessions reached +AUDIT_ANOM_LOGIN_ACCT,2103,USR,Login attempted to watched account +AUDIT_ANOM_LOGIN_LOCATION,2104,USR,Login from forbidden location +AUDIT_ANOM_MAX_DAC,2105,USR,Max DAC (Discretionary Access Control) failures reached +AUDIT_ANOM_MAX_MAC,2106,USR,Max MAC (Mandatory Access Control) failures reached +AUDIT_ANOM_AMTU_FAIL,2107,USR,AMTU (Abstract Machine Test Utility) failure +AUDIT_ANOM_RBAC_FAIL,2108,USR,RBAC (Role-Based Access Control) self test failure +AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,USR,RBAC (Role-Based Access Control) file integrity test failure +AUDIT_ANOM_CRYPTO_FAIL,2110,USR,Crypto system test failure +AUDIT_ANOM_ACCESS_FS,2111,USR,Access of file or directory ended abnormally +AUDIT_ANOM_EXEC,2112,USR,Execution of file ended abnormally +AUDIT_ANOM_MK_EXEC,2113,USR,Make an executable +AUDIT_ANOM_ADD_ACCT,2114,USR,Adding a user account ended abnormally +AUDIT_ANOM_DEL_ACCT,2115,USR,Deleting a user account ended abnormally +AUDIT_ANOM_MOD_ACCT,2116,USR,Changing an account ended abnormally +AUDIT_ANOM_ROOT_TRANS,2117,USR,User became root +AUDIT_RESP_ANOMALY,2200,USR,Anomaly not reacted to +AUDIT_RESP_ALERT,2201,USR,Alert email was sent +AUDIT_RESP_KILL_PROC,2202,USR,Kill program +AUDIT_RESP_TERM_ACCESS,2203,USR,Terminate session +AUDIT_RESP_ACCT_REMOTE,2204,USR,User account locked from remote access +AUDIT_RESP_ACCT_LOCK_TIMED,2205,USR,User account locked for time +AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,USR,User account unlocked from time +AUDIT_RESP_ACCT_LOCK,2207,USR,User account was locked +AUDIT_RESP_TERM_LOCK,2208,USR,Terminal was locked +AUDIT_RESP_SEBOOL,2209,USR,Set an SELinux boolean +AUDIT_RESP_EXEC,2210,USR,Execute a script +AUDIT_RESP_SINGLE,2211,USR,Go to single user mode +AUDIT_RESP_HALT,2212,USR,Take the system down +AUDIT_USER_ROLE_CHANGE,2300,USR,User changed to a new SELinux role +AUDIT_ROLE_ASSIGN,2301,USR,Administrator assigned user to SELinux role +AUDIT_ROLE_REMOVE,2302,USR,Administrator removed user from SELinux role +AUDIT_LABEL_OVERRIDE,2303,USR,Administrator is overriding a SELinux label +AUDIT_LABEL_LEVEL_CHANGE,2304,USR,Object level SELinux label modified +AUDIT_USER_LABELED_EXPORT,2305,USR,Object exported with SELinux label +AUDIT_USER_UNLABELED_EXPORT,2306,USR,Object exported without SELinux label +AUDIT_DEV_ALLOC,2307,USR,Device was allocated +AUDIT_DEV_DEALLOC,2308,USR,Device was deallocated +AUDIT_FS_RELABEL,2309,USR,Filesystem relabeled +AUDIT_USER_MAC_POLICY_LOAD,2310,USR,Usersapce daemon loaded SELinux policy +AUDIT_ROLE_MODIFY,2311,USR,Administrator modified an SELinux role +AUDIT_USER_MAC_CONFIG_CHANGE,2312,USR,Change made to MAC (Mandatory Access Control) policy +AUDIT_CRYPTO_TEST_USER,2400,USR,Cryptographic test results +AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,USR,Cryptographic attribute change +AUDIT_CRYPTO_LOGIN,2402,USR,Cryptographic officer login +AUDIT_CRYPTO_LOGOUT,2403,USR,Cryptographic officer logout +AUDIT_CRYPTO_KEY_USER,2404,USR,"Create, delete, negotiate cryptographic key identifier" +AUDIT_CRYPTO_FAILURE_USER,2405,USR,"Fail decrypt, encrypt or randomize operation" +AUDIT_CRYPTO_REPLAY_USER,2406,USR,Cryptographic replay attack detected +AUDIT_CRYPTO_SESSION,2407,USR,Parameters set during TLS session establishment +AUDIT_CRYPTO_IKE_SA,2408,USR,Parameters related to IKE SA +AUDIT_CRYPTO_IPSEC_SA,2409,USR,Parameters related to IPSEC SA +AUDIT_VIRT_CONTROL,2500,USR,"Start, Pause, Stop VM" +AUDIT_VIRT_RESOURCE,2501,USR,Resource assignment +AUDIT_VIRT_MACHINE_ID,2502,USR,Binding of label to VM +AUDIT_VIRT_INTEGRITY_CHECK,2503,USR,Guest integrity results +AUDIT_VIRT_CREATE,2504,USR,Creation of guest image +AUDIT_VIRT_DESTROY,2505,USR,Destruction of guest image +AUDIT_VIRT_MIGRATE_IN,2506,USR,Inbound guest migration info +AUDIT_VIRT_MIGRATE_OUT,2507,USR,Outbound guest migration info -- 1.7.1

7 years, 4 months

3
7
0 / 0

ANOM_ABEND events are missing

by Steve Grubb

Hello Richard & Paul, I have been noticing something lately. I have applications that crash and I get a notification from abrtd but when I go looking, there is no matching ANOM_ABEND records. This is one a 4.11.11 kernel. The purpose of the ANOM_ABEND record is to indicate that a program has crashed and receieved a SIGSEGV or any other signal that results in termination. By any chance has something changed where our hook is placed? I also can't tell you when this started, I have a feeling this has been happening for over a year. -Steve

7 years, 4 months

2
1
0 / 0

[GIT PULL] Audit fix for v4.13 (#1)

by Paul Moore

Hi Linus, A small audit fix, just a single line, to plug a memory leak in some audit error handling code. Please merge for the next 4.13-rcX release. Thanks, -Paul --- The following changes since commit cd33f5f2cbfaadc21270f3ddac7c3c33e0a1a28c: audit: make sure we never skip the multicast broadcast (2017-06-16 11:51:00 -0400) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.13 for you to fetch changes up to b0659ae5e30074ede1dc08f2c6d64f0c11d64e0f: audit: fix memleak in auditd_send_unicast_skb. (2017-07-19 10:28:54 -0400) ---------------------------------------------------------------- Shu Wang (1): audit: fix memleak in auditd_send_unicast_skb. kernel/audit.c | 1 + 1 file changed, 1 insertion(+) -- paul moore www.paul-moore.com

7 years, 5 months

2
2
0 / 0

ENRICHED log_format not encoding all parameters

by Peter KRIVANSKY

Hello together, I am writing to this mailing list as I have not found any working solution online. We use the audit with ENRICHED log_format, but we see lots of parameters not being decoded from HEX, Here are the auditd settings: log_file = /var/log/audit/audit.log log_format = ENRICHED log_group = root priority_boost = 4 flush = incremental freq = 6000 num_logs = 10 disp_qos = lossy dispatcher = /sbin/audispd name_format = hostname max_log_file = 30 max_log_file_action = ROTATE space_left = 150 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 100 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND tcp_listen_queue = 5 tcp_max_per_addr = 1 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd Installed audit Version: 2.6.5-3.el7_3.1 Here the problem parts of the Audit log (parameter a2): node=hostname.domain.tld type=EXECVE msg=audit(1500536092.301:232170298): argc=3 a0="/bin/sh" a1="-c" a2=2F7573722F6C6F63616C2F6E6167696F732F6C6962657865632F636865636B5F6E727065202D32202D482031302E3130302E3135302E313732202D702035363636202D6320436865636B46696C6573202D74203230202D6120706174683D463A2F636C656172696E672F6D6366742F706F736569646F6E2F206D61782D6469722D64657074683D30207061747465726E3D2A33335F303535305F4C5F2A2E434B38202266696C7465723D7772697474656E206C74202D33306D20414E442073697A652067742031306222204D6178437269743D31 not decoded parameter (a14) in the middle: node= hostname.domain.tld type=EXECVE msg=audit(1500536092.303:232170300): argc=16 a0="/usr/local/nagios/libexec/check_nrpe" a1="-2" a2="-H" a3="10.100.0.0" a4="-p" a5="5666" a6="-c" a7="CheckFiles" a8="-t" a9="20" a10="-a" a11="path=F:/clearing/mcft/poseidon/" a12="max-dir-depth=0" a13="pattern=*33_0550_L_*.CK8" a14=66696C7465723D7772697474656E206C74202D33306D20414E442073697A6520677420313062 a15="MaxCrit=1" We need ENRICHED log_formad so we can analyze audit logs on a central Log server. I tried to increase the „priority_boost“ parameter to 6, and increased the „freq“ param. to 6000 to give the auditd more time for decoding. None of the mentioned helped. What I don’t understand is that sometimes it’s the last parameters which is not decoded, and sometimes it one in the middle. See example above Any kind of advice is welcome With kind regards Peter This email and its content belong to Ingenico Group. The enclosed information is confidential and may not be disclosed to any unauthorized person. If you have received it by mistake do not forward it and delete it from your system. Cet email et son contenu sont la propriété du Groupe Ingenico. L’information qu’il contient est confidentielle et ne peut être communiquée à des personnes non autorisées. Si vous l’avez reçu par erreur ne le transférez pas et supprimez-le.

7 years, 5 months

2
1
0 / 0

[PATCH] audit: fix memleak in auditd_send_unicast_skb.

by shuwang＠redhat.com

From: Shu Wang <shuwang(a)redhat.com> Found this issue by kmemleak report, auditd_send_unicast_skb did not free skb if rcu_dereference(auditd_conn) returns null. unreferenced object 0xffff88082568ce00 (size 256): comm "auditd", pid 1119, jiffies 4294708499 backtrace: [<ffffffff8176166a>] kmemleak_alloc+0x4a/0xa0 [<ffffffff8121820c>] kmem_cache_alloc_node+0xcc/0x210 [<ffffffff8161b99d>] __alloc_skb+0x5d/0x290 [<ffffffff8113c614>] audit_make_reply+0x54/0xd0 [<ffffffff8113dfa7>] audit_receive_msg+0x967/0xd70 ---------------- (gdb) list *audit_receive_msg+0x967 0xffffffff8113dff7 is in audit_receive_msg (kernel/audit.c:1133). 1132 skb = audit_make_reply(0, AUDIT_REPLACE, 0, 0, &pvnr, sizeof(pvnr)); --------------- [<ffffffff8113e402>] audit_receive+0x52/0xa0 [<ffffffff8166c561>] netlink_unicast+0x181/0x240 [<ffffffff8166c8e2>] netlink_sendmsg+0x2c2/0x3b0 [<ffffffff816112e8>] sock_sendmsg+0x38/0x50 [<ffffffff816117a2>] SYSC_sendto+0x102/0x190 [<ffffffff81612f4e>] SyS_sendto+0xe/0x10 [<ffffffff8176d337>] entry_SYSCALL_64_fastpath+0x1a/0xa5 [<ffffffffffffffff>] 0xffffffffffffffff Signed-off-by: Shu Wang <shuwang(a)redhat.com> --- kernel/audit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/audit.c b/kernel/audit.c index 833267b..6dd5569 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -641,6 +641,7 @@ static int auditd_send_unicast_skb(struct sk_buff *skb) ac = rcu_dereference(auditd_conn); if (!ac) { rcu_read_unlock(); + kfree_skb(skb); rc = -ECONNREFUSED; goto err; } -- 2.5.0

7 years, 5 months

3
3
0 / 0

[PATCH] Free skb at error context in auditd_send_unicast_skb().

by Masami Ichikawa

I got following memory leak reports by kmemleak. unreferenced object 0xffff965962fa0600 (size 256): comm "auditd", pid 401, jiffies 4294671604 (age 62.331s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffffb8859baa>] kmemleak_alloc+0x4a/0xa0 [<ffffffffb8238a96>] kmem_cache_alloc_node+0x146/0x1f0 [<ffffffffb870e52b>] __alloc_skb+0x5b/0x1e0 [<ffffffffb814fc5c>] audit_make_reply+0x5c/0xd0 [<ffffffffb815160a>] audit_receive_msg+0xa1a/0xe60 [<ffffffffb8151aa3>] audit_receive+0x53/0xa0 [<ffffffffb875e95b>] netlink_unicast+0x18b/0x220 [<ffffffffb875ecb5>] netlink_sendmsg+0x2c5/0x3c0 [<ffffffffb8705008>] sock_sendmsg+0x38/0x50 [<ffffffffb870558f>] SYSC_sendto+0x13f/0x180 [<ffffffffb870608e>] SyS_sendto+0xe/0x10 [<ffffffffb8003a57>] do_syscall_64+0x67/0x140 [<ffffffffb8865ca7>] return_from_SYSCALL_64+0x0/0x6a [<ffffffffffffffff>] 0xffffffffffffffff unreferenced object 0xffff96595a9da600 (size 512): comm "auditd", pid 401, jiffies 4294671604 (age 62.331s) hex dump (first 32 bytes): 14 00 00 00 31 05 00 00 00 00 00 00 00 00 00 00 ....1........... 91 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffffb8859baa>] kmemleak_alloc+0x4a/0xa0 [<ffffffffb823c8a3>] __kmalloc_node_track_caller+0x233/0x2f0 [<ffffffffb870d9d1>] __kmalloc_reserve.isra.38+0x31/0x90 [<ffffffffb870e557>] __alloc_skb+0x87/0x1e0 [<ffffffffb814fc5c>] audit_make_reply+0x5c/0xd0 [<ffffffffb815160a>] audit_receive_msg+0xa1a/0xe60 [<ffffffffb8151aa3>] audit_receive+0x53/0xa0 [<ffffffffb875e95b>] netlink_unicast+0x18b/0x220 [<ffffffffb875ecb5>] netlink_sendmsg+0x2c5/0x3c0 [<ffffffffb8705008>] sock_sendmsg+0x38/0x50 [<ffffffffb870558f>] SYSC_sendto+0x13f/0x180 [<ffffffffb870608e>] SyS_sendto+0xe/0x10 [<ffffffffb8003a57>] do_syscall_64+0x67/0x140 [<ffffffffb8865ca7>] return_from_SYSCALL_64+0x0/0x6a [<ffffffffffffffff>] 0xffffffffffffffff These skb objects have been allocated in audit_replace(). If some error happened in auditd_send_unicast_skb(), skb is needed to be freed. Signed-off-by: Masami Ichikawa <masami256(a)gmail.com> --- kernel/audit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/audit.c b/kernel/audit.c index 833267bbd80b..789f4cc1f481 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -659,6 +659,7 @@ static int auditd_send_unicast_skb(struct sk_buff *skb) err: if (ac && rc == -ECONNREFUSED) auditd_reset(ac); + kfree_skb(skb); return rc; } -- 2.13.0

7 years, 5 months

2
1
0 / 0

[PATCH 00/15] v3 kernel core pieces refcount conversions

by Elena Reshetova

Changes in v3: * SoB chain corrected * minor corrections based on v2 feedback * rebase on linux-next/master as of today Changes in v2: * dropped already merged patches * rebase on top of linux-next/master * Now by default refcount_t = atomic_t (*) and uses all atomic standard operations unless CONFIG_REFCOUNT_FULL is enabled. This is a compromise for the systems that are critical on performance (such as net) and cannot accept even slight delay on the refcounter operations. This series, for core kernel components, replaces atomic_t reference counters with the new refcount_t type and API (see include/linux/refcount.h). By doing this we prevent intentional or accidental underflows or overflows that can led to use-after-free vulnerabilities. The patches are fully independent and can be cherry-picked separately. If there are no objections to the patches, please merge them via respective trees. If you want to test with refcount_t protection enabled, CONFIG_REFCOUNT_FULL must be enabled. * The respective change is currently merged into -next as "locking/refcount: Create unchecked atomic_t implementation". Elena Reshetova (15): kernel: convert sighand_struct.count from atomic_t to refcount_t kernel: convert signal_struct.sigcnt from atomic_t to refcount_t kernel: convert user_struct.__count from atomic_t to refcount_t kernel: convert task_struct.usage from atomic_t to refcount_t kernel: convert task_struct.stack_refcount from atomic_t to refcount_t kernel: convert perf_event_context.refcount from atomic_t to refcount_t kernel: convert ring_buffer.refcount from atomic_t to refcount_t kernel: convert ring_buffer.aux_refcount from atomic_t to refcount_t kernel: convert uprobe.ref from atomic_t to refcount_t kernel: convert nsproxy.count from atomic_t to refcount_t kernel: convert group_info.usage from atomic_t to refcount_t kernel: convert cred.usage from atomic_t to refcount_t sched: convert numa_group.refcount from atomic_t to refcount_t kernel: convert futex_pi_state.refcount from atomic_t to refcount_t kernel: convert kcov.refcount from atomic_t to refcount_t fs/exec.c | 4 ++-- fs/proc/task_nommu.c | 2 +- include/linux/cred.h | 13 ++++++------ include/linux/init_task.h | 7 +++--- include/linux/nsproxy.h | 6 +++--- include/linux/perf_event.h | 3 ++- include/linux/sched.h | 5 +++-- include/linux/sched/signal.h | 5 +++-- include/linux/sched/task.h | 4 ++-- include/linux/sched/task_stack.h | 2 +- include/linux/sched/user.h | 5 +++-- kernel/cred.c | 46 ++++++++++++++++++++-------------------- kernel/events/core.c | 18 ++++++++-------- kernel/events/internal.h | 5 +++-- kernel/events/ring_buffer.c | 8 +++---- kernel/events/uprobes.c | 8 +++---- kernel/fork.c | 24 ++++++++++----------- kernel/futex.c | 13 ++++++------ kernel/groups.c | 2 +- kernel/kcov.c | 9 ++++---- kernel/nsproxy.c | 6 +++--- kernel/sched/fair.c | 8 +++---- kernel/user.c | 8 +++---- 23 files changed, 110 insertions(+), 101 deletions(-) -- 2.7.4

7 years, 5 months

3
19
0 / 0

AUDITs needed

by warron.french

This may be faster and also a better way to summarize and share with others. I will list the AUDIT(test#letter) and then below it place *Method of implementation:* and if the field is marked in green, it is validated by someone from linux-audit(a)redhat.com (Steve Grubb for example) and the text provided will answer the question for other sysadmins with similar requirements (on a per test#letter basis). I am presenting what I need to know how to audit, in hopes to illicit a response of "BUILTIN" or a link or some text that clarifies what to do: *AUDIT(A): Logons/Logoffs (success/failure)* Method of implementation: Builtin to AUDITD (enable auditd) *AUDIT(B): User {additions, deletions, modifications, suspensions and lockings}* Method of implementation: Builtin to AUDITD (enable auditd) *AUDIT(C): Group and Role {additions, deletions and modifications}* Method of implementation: Builtin to AUDITD (enable auditd) *AUDITD(D): Security or Audit Policies* Method of implementation: *AUDIT(E): Configuration Changes* (please be patient with me, as I believe this is way too broad a definition from my security people; however, there is a field from aureport called "*Number of changes in configuration:*" too. Method of implementation: can this be done by; *-w /etc/ -p raw -k config_changes* even this seems too broad a solution and I don't believe it will capture the essence of *AUDIT(E).* *AUDIT(F): Admin/Root-level accesses* Method of implementation: can this be done by; *-w /bin/su -p x -k running_as_root -w /bin/sudo -p x -k running_as_root -w /sbin/runuser -p x -k running_as_root* *AUDIT(G): Privilege/Role Escalation *(I need to ask how this differs from AUDIT(F) from my management/security people) Method of implementation: *AUDIT(H): System reboot/shutdown/change run-state*Method of implementation: can this be done by; *-w /sbin/init -p x -k run_state -w /sbin/telinit -p x -k run_state* *-w /sbin/shutdown -p x -k run_state -w /sbin/reboot -p x -k run_state etc.. etc.. etc..* *AUDIT(I): Application Initialization* (seems way to vague to me, don't you all agree?) Method of implementation: *AUDIT(J): Writes/Downloads to external devices (thumdrives,media *(like DvDs/CD), etc.. *)*Method of implementation: can this be done by -a .... -F arch=b64 -S mount -S umount2 -F auid>=1000 -F auid!=4294967295 -k mount_datawrite_operations? No, what do I use? *AUDIT(K): Print to a device or file*Method of implementation: *AUDIT(L): Audit data and log data access *(nevremind, this would kill a system - correct, unless I limit monitoring to audit.log.*) Method of implementation: *AUDIT(M): Device attach/detach mount/dismount *(Perhaps this would catch 1 or more than 1 individual doing something devious as a team in conjunction with *AUDIT(J)*?) Method of implementation: Thank you for your vast patience and cooperation. -------------------------- Warron French

7 years, 5 months

1
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit July 2017