[RFC PATCH] specs: update message dictionary with source column
by Richard Guy Briggs
Add a column to indicate the source of the message, including indicating
whether or not it is related to syscalls.
Column name: SOURCE
Key:
CTL Control messages, usually initiated by audit daemon.
DEP Deprecated message types
IND Independent kernel message
USR User message
SC System-call related kernel message
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
specs/messages/message-dictionary.csv | 393 +++++++++++++++++----------------
1 files changed, 197 insertions(+), 196 deletions(-)
diff --git a/specs/messages/message-dictionary.csv b/specs/messages/message-dictionary.csv
index 9831236..a0f8983 100644
--- a/specs/messages/message-dictionary.csv
+++ b/specs/messages/message-dictionary.csv
@@ -1,196 +1,197 @@
-MACRO NAME,VALUE,DESCRIPITON
-AUDIT_GET,1000,Get status
-AUDIT_SET,1001,Set status (enable/disable/auditd)
-AUDIT_LIST,1002,List syscall rules -- deprecated
-AUDIT_ADD,1003,Add syscall rule -- deprecated
-AUDIT_DEL,1004,Delete syscall rule -- deprecated
-AUDIT_USER,1005,Message from userspace -- deprecated
-AUDIT_LOGIN,1006,Define the login ID and information
-AUDIT_WATCH_INS,1007,Insert file/dir watch entry
-AUDIT_WATCH_REM,1008,Remove file/dir watch entry
-AUDIT_WATCH_LIST,1009,List all file/dir watches
-AUDIT_SIGNAL_INFO,1010,Get info about sender of signal to auditd
-AUDIT_ADD_RULE,1011,Add syscall filtering rule
-AUDIT_DEL_RULE,1012,Delete syscall filtering rule
-AUDIT_LIST_RULES,1013,List syscall filtering rules
-AUDIT_TRIM,1014,Trim junk from watched tree
-AUDIT_MAKE_EQUIV,1015,Append to watched tree
-AUDIT_TTY_GET,1016,Get TTY auditing status
-AUDIT_TTY_SET,1017,Set TTY auditing status
-AUDIT_SET_FEATURE,1018,Turn an audit feature on or off
-AUDIT_GET_FEATURE,1019,Get which features are enabled
-AUDIT_USER_AUTH,1100,User system access authentication
-AUDIT_USER_ACCT,1101,User system access authorization
-AUDIT_USER_MGMT,1102,User account attribute change
-AUDIT_CRED_ACQ,1103,User credential acquired
-AUDIT_CRED_DISP,1104,User credential disposed
-AUDIT_USER_START,1105,User session start
-AUDIT_USER_END,1106,User session end
-AUDIT_USER_AVC,1107,User space AVC (Access Vector Cache) message
-AUDIT_USER_CHAUTHTOK,1108,User account password or PIN changed
-AUDIT_USER_ERR,1109,User account state error
-AUDIT_CRED_REFR,1110,User credential refreshed
-AUDIT_USYS_CONFIG,1111,User space system config change
-AUDIT_USER_LOGIN,1112,User has logged in
-AUDIT_USER_LOGOUT,1113,User has logged out
-AUDIT_ADD_USER,1114,User account added
-AUDIT_DEL_USER,1115,User account deleted
-AUDIT_ADD_GROUP,1116,Group account added
-AUDIT_DEL_GROUP,1117,Group account deleted
-AUDIT_DAC_CHECK,1118,User space DAC check results
-AUDIT_CHGRP_ID,1119,User space group ID changed
-AUDIT_TEST,1120,Used for test success messages
-AUDIT_TRUSTED_APP,1121,Trusted app msg - freestyle text
-AUDIT_USER_SELINUX_ERR,1122,SELinux user space error
-AUDIT_USER_CMD,1123,User shell command and args
-AUDIT_USER_TTY,1124,Non-ICANON TTY input meaning
-AUDIT_CHUSER_ID,1125,Changed user ID supplemental data
-AUDIT_GRP_AUTH,1126,Authentication for group password
-AUDIT_SYSTEM_BOOT,1127,System boot
-AUDIT_SYSTEM_SHUTDOWN,1128,System shutdown
-AUDIT_SYSTEM_RUNLEVEL,1129,System runlevel change
-AUDIT_SERVICE_START,1130,Service (daemon) start
-AUDIT_SERVICE_STOP,1131,Service (daemon) stop
-AUDIT_GRP_MGMT,1132,Group account attribute was modified
-AUDIT_GRP_CHAUTHTOK,1133,Group account password or PIN changed
-AUDIT_MAC_CHECK,1134,User space MAC (Mandatory Access Control) decision results
-AUDIT_ACCT_LOCK,1135,User's account locked by admin
-AUDIT_ACCT_UNLOCK,1136,User's account unlocked by admin
-AUDIT_DAEMON_START,1200,Daemon startup record
-AUDIT_DAEMON_END,1201,Daemon normal stop record
-AUDIT_DAEMON_ABORT,1202,Daemon error stop record
-AUDIT_DAEMON_CONFIG,1203,Daemon config change
-AUDIT_DAEMON_RECONFIG,1204,Auditd should reconfigure
-AUDIT_DAEMON_ROTATE,1205,Auditd should rotate logs
-AUDIT_DAEMON_RESUME,1206,Auditd should resume logging
-AUDIT_DAEMON_ACCEPT,1207,Auditd accepted remote connection
-AUDIT_DAEMON_CLOSE,1208,Auditd closed remote connection
-AUDIT_DAEMON_ERR,1209,Auditd internal error
-AUDIT_SYSCALL,1300,System call event information
-AUDIT_FS_WATCH,1301,Deprecated
-AUDIT_PATH,1302,Filename path information
-AUDIT_IPC,1303,System call IPC (Inter-Process Communication) object
-AUDIT_SOCKETCALL,1304,System call socketcall arguments
-AUDIT_CONFIG_CHANGE,1305,Audit system configuration change
-AUDIT_SOCKADDR,1306,System call socket address argument information
-AUDIT_CWD,1307,Current working directory
-AUDIT_EXECVE,1309,Arguments supplied to the execve system call
-AUDIT_IPC_SET_PERM,1311,IPC new permissions record type
-AUDIT_MQ_OPEN,1312,POSIX MQ open record type
-AUDIT_MQ_SENDRECV,1313,POSIX MQ send/receive record type
-AUDIT_MQ_NOTIFY,1314,POSIX MQ notify record type
-AUDIT_MQ_GETSETATTR,1315,POSIX MQ get/set attribute record type
-AUDIT_KERNEL_OTHER,1316,For use by 3rd party modules
-AUDIT_FD_PAIR,1317,Information for pipe and socketpair system calls
-AUDIT_OBJ_PID,1318,ptrace target
-AUDIT_TTY,1319,Input on an administrative TTY
-AUDIT_EOE,1320,End of multi-record event
-AUDIT_BPRM_FCAPS,1321,Information about file system capabilities increasing permissions
-AUDIT_CAPSET,1322,Record showing argument to sys_capset setting process-based capabilities
-AUDIT_MMAP,1323,Mmap system call file descriptor and flags
-AUDIT_NETFILTER_PKT,1324,Packets traversing netfilter chains
-AUDIT_NETFILTER_CFG,1325,Netfilter chain modifications
-AUDIT_SECCOMP,1326,Secure Computing event
-AUDIT_PROCTITLE,1327,Process Title info
-AUDIT_FEATURE_CHANGE,1328,Audit feature changed value
-AUDIT_REPLACE,1329,Replace auditd if this probe unanswerd
-AUDIT_KERN_MODULE,1330,Kernel Module events
-AUDIT_AVC,1400,SELinux AVC (Access Vector Cache) denial or grant
-AUDIT_SELINUX_ERR,1401,Internal SELinux errors
-AUDIT_AVC_PATH,1402,"dentry, vfsmount pair from AVC"
-AUDIT_MAC_POLICY_LOAD,1403,SELinux Policy file load
-AUDIT_MAC_STATUS,1404,"SELinux mode (enforcing, permissive, off) changed"
-AUDIT_MAC_CONFIG_CHANGE,1405,SELinux Boolean value modification
-AUDIT_MAC_UNLBL_ALLOW,1406,NetLabel: allow unlabeled traffic
-AUDIT_MAC_CIPSOV4_ADD,1407,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
-AUDIT_MAC_CIPSOV4_DEL,1408,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
-AUDIT_MAC_MAP_ADD,1409,NetLabel: add LSM (Linux Security Module) domain mapping
-AUDIT_MAC_MAP_DEL,1410,NetLabel: del LSM (Linux Security Module) domain mapping
-AUDIT_MAC_IPSEC_ADDSA,1411,Not used
-AUDIT_MAC_IPSEC_DELSA,1412,Not used
-AUDIT_MAC_IPSEC_ADDSPD,1413,Not used
-AUDIT_MAC_IPSEC_DELSPD,1414,Not used
-AUDIT_MAC_IPSEC_EVENT,1415,Audit an IPsec event
-AUDIT_MAC_UNLBL_STCADD,1416,NetLabel: add a static label
-AUDIT_MAC_UNLBL_STCDEL,1417,NetLabel: del a static label
-AUDIT_MAC_CALIPSO_ADD,1418,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry
-AUDIT_MAC_CALIPSO_DEL,1419,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry
-AUDIT_AA,1500,
-AUDIT_APPARMOR_AUDIT,1501,
-AUDIT_APPARMOR_ALLOWED,1502,
-AUDIT_APPARMOR_DENIED,1503,
-AUDIT_APPARMOR_HINT,1504,
-AUDIT_APPARMOR_STATUS,1505,
-AUDIT_APPARMOR_ERROR,1506,
-AUDIT_ANOM_PROMISCUOUS,1700,Device changed promiscuous mode
-AUDIT_ANOM_ABEND,1701,Process ended abnormally
-AUDIT_ANOM_LINK,1702,Suspicious use of file links
-AUDIT_INTEGRITY_DATA,1800,Data integrity verification
-AUDIT_INTEGRITY_METADATA,1801,Metadata integrity verification
-AUDIT_INTEGRITY_STATUS,1802,Integrity enable status
-AUDIT_INTEGRITY_HASH,1803,Integrity HASH type
-AUDIT_INTEGRITY_PCR,1804,PCR (Platform Configuration Register) invalidation messages
-AUDIT_INTEGRITY_RULE,1805,Policy rule
-AUDIT_KERNEL,2000,Kernel audit status
-AUDIT_ANOM_LOGIN_FAILURES,2100,Failed login limit reached
-AUDIT_ANOM_LOGIN_TIME,2101,Login attempted at bad time
-AUDIT_ANOM_LOGIN_SESSIONS,2102,Maximum concurrent sessions reached
-AUDIT_ANOM_LOGIN_ACCT,2103,Login attempted to watched account
-AUDIT_ANOM_LOGIN_LOCATION,2104,Login from forbidden location
-AUDIT_ANOM_MAX_DAC,2105,Max DAC (Discretionary Access Control) failures reached
-AUDIT_ANOM_MAX_MAC,2106,Max MAC (Mandatory Access Control) failures reached
-AUDIT_ANOM_AMTU_FAIL,2107,AMTU (Abstract Machine Test Utility) failure
-AUDIT_ANOM_RBAC_FAIL,2108,RBAC (Role-Based Access Control) self test failure
-AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,RBAC (Role-Based Access Control) file integrity test failure
-AUDIT_ANOM_CRYPTO_FAIL,2110,Crypto system test failure
-AUDIT_ANOM_ACCESS_FS,2111,Access of file or directory ended abnormally
-AUDIT_ANOM_EXEC,2112,Execution of file ended abnormally
-AUDIT_ANOM_MK_EXEC,2113,Make an executable
-AUDIT_ANOM_ADD_ACCT,2114,Adding a user account ended abnormally
-AUDIT_ANOM_DEL_ACCT,2115,Deleting a user account ended abnormally
-AUDIT_ANOM_MOD_ACCT,2116,Changing an account ended abnormally
-AUDIT_ANOM_ROOT_TRANS,2117,User became root
-AUDIT_RESP_ANOMALY,2200,Anomaly not reacted to
-AUDIT_RESP_ALERT,2201,Alert email was sent
-AUDIT_RESP_KILL_PROC,2202,Kill program
-AUDIT_RESP_TERM_ACCESS,2203,Terminate session
-AUDIT_RESP_ACCT_REMOTE,2204,User account locked from remote access
-AUDIT_RESP_ACCT_LOCK_TIMED,2205,User account locked for time
-AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,User account unlocked from time
-AUDIT_RESP_ACCT_LOCK,2207,User account was locked
-AUDIT_RESP_TERM_LOCK,2208,Terminal was locked
-AUDIT_RESP_SEBOOL,2209,Set an SELinux boolean
-AUDIT_RESP_EXEC,2210,Execute a script
-AUDIT_RESP_SINGLE,2211,Go to single user mode
-AUDIT_RESP_HALT,2212,Take the system down
-AUDIT_USER_ROLE_CHANGE,2300,User changed to a new SELinux role
-AUDIT_ROLE_ASSIGN,2301,Administrator assigned user to SELinux role
-AUDIT_ROLE_REMOVE,2302,Administrator removed user from SELinux role
-AUDIT_LABEL_OVERRIDE,2303,Administrator is overriding a SELinux label
-AUDIT_LABEL_LEVEL_CHANGE,2304,Object level SELinux label modified
-AUDIT_USER_LABELED_EXPORT,2305,Object exported with SELinux label
-AUDIT_USER_UNLABELED_EXPORT,2306,Object exported without SELinux label
-AUDIT_DEV_ALLOC,2307,Device was allocated
-AUDIT_DEV_DEALLOC,2308,Device was deallocated
-AUDIT_FS_RELABEL,2309,Filesystem relabeled
-AUDIT_USER_MAC_POLICY_LOAD,2310,Usersapce daemon loaded SELinux policy
-AUDIT_ROLE_MODIFY,2311,Administrator modified an SELinux role
-AUDIT_USER_MAC_CONFIG_CHANGE,2312,Change made to MAC (Mandatory Access Control) policy
-AUDIT_CRYPTO_TEST_USER,2400,Cryptographic test results
-AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,Cryptographic attribute change
-AUDIT_CRYPTO_LOGIN,2402,Cryptographic officer login
-AUDIT_CRYPTO_LOGOUT,2403,Cryptographic officer logout
-AUDIT_CRYPTO_KEY_USER,2404,"Create, delete, negotiate cryptographic key identifier"
-AUDIT_CRYPTO_FAILURE_USER,2405,"Fail decrypt, encrypt or randomize operation"
-AUDIT_CRYPTO_REPLAY_USER,2406,Cryptographic replay attack detected
-AUDIT_CRYPTO_SESSION,2407,Parameters set during TLS session establishment
-AUDIT_CRYPTO_IKE_SA,2408,Parameters related to IKE SA
-AUDIT_CRYPTO_IPSEC_SA,2409,Parameters related to IPSEC SA
-AUDIT_VIRT_CONTROL,2500,"Start, Pause, Stop VM"
-AUDIT_VIRT_RESOURCE,2501,Resource assignment
-AUDIT_VIRT_MACHINE_ID,2502,Binding of label to VM
-AUDIT_VIRT_INTEGRITY_CHECK,2503,Guest integrity results
-AUDIT_VIRT_CREATE,2504,Creation of guest image
-AUDIT_VIRT_DESTROY,2505,Destruction of guest image
-AUDIT_VIRT_MIGRATE_IN,2506,Inbound guest migration info
-AUDIT_VIRT_MIGRATE_OUT,2507,Outbound guest migration info
+MACRO NAME,VALUE,SOURCE,DESCRIPITON
+AUDIT_GET,1000,CTL,Get status
+AUDIT_SET,1001,CTL,Set status (enable/disable/auditd)
+AUDIT_LIST,1002,DEP,List syscall rules -- deprecated
+AUDIT_ADD,1003,DEP,Add syscall rule -- deprecated
+AUDIT_DEL,1004,DEP,Delete syscall rule -- deprecated
+AUDIT_USER,1005,DEP,Message from userspace -- deprecated
+AUDIT_LOGIN,1006,IND,Define the login ID and information
+AUDIT_WATCH_INS,1007,DEP,Insert file/dir watch entry
+AUDIT_WATCH_REM,1008,DEP,Remove file/dir watch entry
+AUDIT_WATCH_LIST,1009,DEP,List all file/dir watches
+AUDIT_SIGNAL_INFO,1010,CTL,Get info about sender of signal to auditd
+AUDIT_ADD_RULE,1011,CTL,Add syscall filtering rule
+AUDIT_DEL_RULE,1012,CTL,Delete syscall filtering rule
+AUDIT_LIST_RULES,1013,CTL,List syscall filtering rules
+AUDIT_TRIM,1014,CTL,Trim junk from watched tree
+AUDIT_MAKE_EQUIV,1015,CTL,Append to watched tree
+AUDIT_TTY_GET,1016,CTL,Get TTY auditing status
+AUDIT_TTY_SET,1017,CTL,Set TTY auditing status
+AUDIT_SET_FEATURE,1018,CTL,Turn an audit feature on or off
+AUDIT_GET_FEATURE,1019,CTL,Get which features are enabled
+AUDIT_USER_AUTH,1100,USR,User system access authentication
+AUDIT_USER_ACCT,1101,USR,User system access authorization
+AUDIT_USER_MGMT,1102,USR,User account attribute change
+AUDIT_CRED_ACQ,1103,USR,User credential acquired
+AUDIT_CRED_DISP,1104,USR,User credential disposed
+AUDIT_USER_START,1105,USR,User session start
+AUDIT_USER_END,1106,USR,User session end
+AUDIT_USER_AVC,1107,USR,User space AVC (Access Vector Cache) message
+AUDIT_USER_CHAUTHTOK,1108,USR,User account password or PIN changed
+AUDIT_USER_ERR,1109,USR,User account state error
+AUDIT_CRED_REFR,1110,USR,User credential refreshed
+AUDIT_USYS_CONFIG,1111,USR,User space system config change
+AUDIT_USER_LOGIN,1112,USR,User has logged in
+AUDIT_USER_LOGOUT,1113,USR,User has logged out
+AUDIT_ADD_USER,1114,USR,User account added
+AUDIT_DEL_USER,1115,USR,User account deleted
+AUDIT_ADD_GROUP,1116,USR,Group account added
+AUDIT_DEL_GROUP,1117,USR,Group account deleted
+AUDIT_DAC_CHECK,1118,USR,User space DAC check results
+AUDIT_CHGRP_ID,1119,USR,User space group ID changed
+AUDIT_TEST,1120,USR,Used for test success messages
+AUDIT_TRUSTED_APP,1121,USR,Trusted app msg - freestyle text
+AUDIT_USER_SELINUX_ERR,1122,USR,SELinux user space error
+AUDIT_USER_CMD,1123,USR,User shell command and args
+AUDIT_USER_TTY,1124,USR,Non-ICANON TTY input meaning
+AUDIT_CHUSER_ID,1125,USR,Changed user ID supplemental data
+AUDIT_GRP_AUTH,1126,USR,Authentication for group password
+AUDIT_SYSTEM_BOOT,1127,USR,System boot
+AUDIT_SYSTEM_SHUTDOWN,1128,USR,System shutdown
+AUDIT_SYSTEM_RUNLEVEL,1129,USR,System runlevel change
+AUDIT_SERVICE_START,1130,USR,Service (daemon) start
+AUDIT_SERVICE_STOP,1131,USR,Service (daemon) stop
+AUDIT_GRP_MGMT,1132,USR,Group account attribute was modified
+AUDIT_GRP_CHAUTHTOK,1133,USR,Group account password or PIN changed
+AUDIT_MAC_CHECK,1134,USR,User space MAC (Mandatory Access Control) decision results
+AUDIT_ACCT_LOCK,1135,USR,User's account locked by admin
+AUDIT_ACCT_UNLOCK,1136,USR,User's account unlocked by admin
+AUDIT_DAEMON_START,1200,USR,Daemon startup record
+AUDIT_DAEMON_END,1201,USR,Daemon normal stop record
+AUDIT_DAEMON_ABORT,1202,USR,Daemon error stop record
+AUDIT_DAEMON_CONFIG,1203,USR,Daemon config change
+AUDIT_DAEMON_RECONFIG,1204,USR,Auditd should reconfigure
+AUDIT_DAEMON_ROTATE,1205,USR,Auditd should rotate logs
+AUDIT_DAEMON_RESUME,1206,USR,Auditd should resume logging
+AUDIT_DAEMON_ACCEPT,1207,USR,Auditd accepted remote connection
+AUDIT_DAEMON_CLOSE,1208,USR,Auditd closed remote connection
+AUDIT_DAEMON_ERR,1209,USR,Auditd internal error
+AUDIT_SYSCALL,1300,SC,System call event information
+AUDIT_FS_WATCH,1301,DEP,Deprecated
+AUDIT_PATH,1302,SC,Filename path information
+AUDIT_IPC,1303,SC,System call IPC (Inter-Process Communication) object
+AUDIT_SOCKETCALL,1304,SC,System call socketcall arguments
+AUDIT_CONFIG_CHANGE,1305,IND,Audit system configuration change
+AUDIT_SOCKADDR,1306,SC,System call socket address argument information
+AUDIT_CWD,1307,SC,Current working directory
+AUDIT_EXECVE,1309,SC,Arguments supplied to the execve system call
+AUDIT_IPC_SET_PERM,1311,SC,IPC new permissions record type
+AUDIT_MQ_OPEN,1312,SC,POSIX MQ open record type
+AUDIT_MQ_SENDRECV,1313,SC,POSIX MQ send/receive record type
+AUDIT_MQ_NOTIFY,1314,SC,POSIX MQ notify record type
+AUDIT_MQ_GETSETATTR,1315,SC,POSIX MQ get/set attribute record type
+AUDIT_KERNEL_OTHER,1316,IND,For use by 3rd party modules
+AUDIT_FD_PAIR,1317,SC,Information for pipe and socketpair system calls
+AUDIT_OBJ_PID,1318,SC,ptrace target
+AUDIT_TTY,1319,IND,Input on an administrative TTY
+AUDIT_EOE,1320,CTL,End of multi-record event
+AUDIT_BPRM_FCAPS,1321,SC,Information about file system capabilities increasing permissions
+AUDIT_CAPSET,1322,SC,Record showing argument to sys_capset setting process-based capabilities
+AUDIT_MMAP,1323,SC,Mmap system call file descriptor and flags
+AUDIT_NETFILTER_PKT,1324,IND,Packets traversing netfilter chains
+AUDIT_NETFILTER_CFG,1325,IND/SC,Netfilter chain modifications
+AUDIT_SECCOMP,1326,IND,Secure Computing event
+AUDIT_PROCTITLE,1327,SC,Process Title info
+AUDIT_FEATURE_CHANGE,1328,IND,Audit feature changed value
+AUDIT_REPLACE,1329,CTL,Replace auditd if this probe unanswerd
+AUDIT_KERN_MODULE,1330,SC,Kernel Module events
+AUDIT_AVC,1400,SC,SELinux AVC (Access Vector Cache) denial or grant
+AUDIT_SELINUX_ERR,1401,SC,Internal SELinux errors
+AUDIT_AVC_PATH,1402,SC,"dentry, vfsmount pair from AVC"
+AUDIT_MAC_POLICY_LOAD,1403,SC,SELinux Policy file load
+AUDIT_MAC_STATUS,1404,SC,"SELinux mode (enforcing, permissive, off) changed"
+AUDIT_MAC_CONFIG_CHANGE,1405,SC,SELinux Boolean value modification
+AUDIT_MAC_UNLBL_ALLOW,1406,SC,NetLabel: allow unlabeled traffic
+AUDIT_MAC_CIPSOV4_ADD,1407,SC,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
+AUDIT_MAC_CIPSOV4_DEL,1408,SC,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
+AUDIT_MAC_MAP_ADD,1409,SC,NetLabel: add LSM (Linux Security Module) domain mapping
+AUDIT_MAC_MAP_DEL,1410,SC,NetLabel: del LSM (Linux Security Module) domain mapping
+AUDIT_MAC_IPSEC_ADDSA,1411,DEP,Not used
+AUDIT_MAC_IPSEC_DELSA,1412,DEP,Not used
+AUDIT_MAC_IPSEC_ADDSPD,1413,DEP,Not used
+AUDIT_MAC_IPSEC_DELSPD,1414,DEP,Not used
+AUDIT_MAC_IPSEC_EVENT,1415,SC,Audit an IPsec event
+AUDIT_MAC_UNLBL_STCADD,1416,SC,NetLabel: add a static label
+AUDIT_MAC_UNLBL_STCDEL,1417,SC,NetLabel: del a static label
+AUDIT_MAC_CALIPSO_ADD,1418,SC,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry
+AUDIT_MAC_CALIPSO_DEL,1419,SC,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry
+AUDIT_AA,1500,,
+AUDIT_APPARMOR_AUDIT,1501,SC,
+AUDIT_APPARMOR_ALLOWED,1502,SC,
+AUDIT_APPARMOR_DENIED,1503,SC,
+AUDIT_APPARMOR_HINT,1504,SC,
+AUDIT_APPARMOR_STATUS,1505,SC,
+AUDIT_APPARMOR_ERROR,1506,SC,
+AUDIT_APPARMOR_KILL,enum1507,SC,
+AUDIT_ANOM_PROMISCUOUS,1700,SC/IND,Device changed promiscuous mode
+AUDIT_ANOM_ABEND,1701,IND,Process ended abnormally
+AUDIT_ANOM_LINK,1702,SC?,Suspicious use of file links
+AUDIT_INTEGRITY_DATA,1800,SC,Data integrity verification
+AUDIT_INTEGRITY_METADATA,1801,SC,Metadata integrity verification
+AUDIT_INTEGRITY_STATUS,1802,SC,Integrity enable status
+AUDIT_INTEGRITY_HASH,1803,SC,Integrity HASH type
+AUDIT_INTEGRITY_PCR,1804,SC,PCR (Platform Configuration Register) invalidation messages
+AUDIT_INTEGRITY_RULE,1805,SC/IND,Policy rule
+AUDIT_KERNEL,2000,IND,Kernel audit status
+AUDIT_ANOM_LOGIN_FAILURES,2100,USR,Failed login limit reached
+AUDIT_ANOM_LOGIN_TIME,2101,USR,Login attempted at bad time
+AUDIT_ANOM_LOGIN_SESSIONS,2102,USR,Maximum concurrent sessions reached
+AUDIT_ANOM_LOGIN_ACCT,2103,USR,Login attempted to watched account
+AUDIT_ANOM_LOGIN_LOCATION,2104,USR,Login from forbidden location
+AUDIT_ANOM_MAX_DAC,2105,USR,Max DAC (Discretionary Access Control) failures reached
+AUDIT_ANOM_MAX_MAC,2106,USR,Max MAC (Mandatory Access Control) failures reached
+AUDIT_ANOM_AMTU_FAIL,2107,USR,AMTU (Abstract Machine Test Utility) failure
+AUDIT_ANOM_RBAC_FAIL,2108,USR,RBAC (Role-Based Access Control) self test failure
+AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,USR,RBAC (Role-Based Access Control) file integrity test failure
+AUDIT_ANOM_CRYPTO_FAIL,2110,USR,Crypto system test failure
+AUDIT_ANOM_ACCESS_FS,2111,USR,Access of file or directory ended abnormally
+AUDIT_ANOM_EXEC,2112,USR,Execution of file ended abnormally
+AUDIT_ANOM_MK_EXEC,2113,USR,Make an executable
+AUDIT_ANOM_ADD_ACCT,2114,USR,Adding a user account ended abnormally
+AUDIT_ANOM_DEL_ACCT,2115,USR,Deleting a user account ended abnormally
+AUDIT_ANOM_MOD_ACCT,2116,USR,Changing an account ended abnormally
+AUDIT_ANOM_ROOT_TRANS,2117,USR,User became root
+AUDIT_RESP_ANOMALY,2200,USR,Anomaly not reacted to
+AUDIT_RESP_ALERT,2201,USR,Alert email was sent
+AUDIT_RESP_KILL_PROC,2202,USR,Kill program
+AUDIT_RESP_TERM_ACCESS,2203,USR,Terminate session
+AUDIT_RESP_ACCT_REMOTE,2204,USR,User account locked from remote access
+AUDIT_RESP_ACCT_LOCK_TIMED,2205,USR,User account locked for time
+AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,USR,User account unlocked from time
+AUDIT_RESP_ACCT_LOCK,2207,USR,User account was locked
+AUDIT_RESP_TERM_LOCK,2208,USR,Terminal was locked
+AUDIT_RESP_SEBOOL,2209,USR,Set an SELinux boolean
+AUDIT_RESP_EXEC,2210,USR,Execute a script
+AUDIT_RESP_SINGLE,2211,USR,Go to single user mode
+AUDIT_RESP_HALT,2212,USR,Take the system down
+AUDIT_USER_ROLE_CHANGE,2300,USR,User changed to a new SELinux role
+AUDIT_ROLE_ASSIGN,2301,USR,Administrator assigned user to SELinux role
+AUDIT_ROLE_REMOVE,2302,USR,Administrator removed user from SELinux role
+AUDIT_LABEL_OVERRIDE,2303,USR,Administrator is overriding a SELinux label
+AUDIT_LABEL_LEVEL_CHANGE,2304,USR,Object level SELinux label modified
+AUDIT_USER_LABELED_EXPORT,2305,USR,Object exported with SELinux label
+AUDIT_USER_UNLABELED_EXPORT,2306,USR,Object exported without SELinux label
+AUDIT_DEV_ALLOC,2307,USR,Device was allocated
+AUDIT_DEV_DEALLOC,2308,USR,Device was deallocated
+AUDIT_FS_RELABEL,2309,USR,Filesystem relabeled
+AUDIT_USER_MAC_POLICY_LOAD,2310,USR,Usersapce daemon loaded SELinux policy
+AUDIT_ROLE_MODIFY,2311,USR,Administrator modified an SELinux role
+AUDIT_USER_MAC_CONFIG_CHANGE,2312,USR,Change made to MAC (Mandatory Access Control) policy
+AUDIT_CRYPTO_TEST_USER,2400,USR,Cryptographic test results
+AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,USR,Cryptographic attribute change
+AUDIT_CRYPTO_LOGIN,2402,USR,Cryptographic officer login
+AUDIT_CRYPTO_LOGOUT,2403,USR,Cryptographic officer logout
+AUDIT_CRYPTO_KEY_USER,2404,USR,"Create, delete, negotiate cryptographic key identifier"
+AUDIT_CRYPTO_FAILURE_USER,2405,USR,"Fail decrypt, encrypt or randomize operation"
+AUDIT_CRYPTO_REPLAY_USER,2406,USR,Cryptographic replay attack detected
+AUDIT_CRYPTO_SESSION,2407,USR,Parameters set during TLS session establishment
+AUDIT_CRYPTO_IKE_SA,2408,USR,Parameters related to IKE SA
+AUDIT_CRYPTO_IPSEC_SA,2409,USR,Parameters related to IPSEC SA
+AUDIT_VIRT_CONTROL,2500,USR,"Start, Pause, Stop VM"
+AUDIT_VIRT_RESOURCE,2501,USR,Resource assignment
+AUDIT_VIRT_MACHINE_ID,2502,USR,Binding of label to VM
+AUDIT_VIRT_INTEGRITY_CHECK,2503,USR,Guest integrity results
+AUDIT_VIRT_CREATE,2504,USR,Creation of guest image
+AUDIT_VIRT_DESTROY,2505,USR,Destruction of guest image
+AUDIT_VIRT_MIGRATE_IN,2506,USR,Inbound guest migration info
+AUDIT_VIRT_MIGRATE_OUT,2507,USR,Outbound guest migration info
--
1.7.1
8 years
ANOM_ABEND events are missing
by Steve Grubb
Hello Richard & Paul,
I have been noticing something lately. I have applications that crash and I
get a notification from abrtd but when I go looking, there is no matching
ANOM_ABEND records. This is one a 4.11.11 kernel.
The purpose of the ANOM_ABEND record is to indicate that a program has crashed
and receieved a SIGSEGV or any other signal that results in termination. By
any chance has something changed where our hook is placed? I also can't tell
you when this started, I have a feeling this has been happening for over a
year.
-Steve
8 years
[GIT PULL] Audit fix for v4.13 (#1)
by Paul Moore
Hi Linus,
A small audit fix, just a single line, to plug a memory leak in some
audit error handling code. Please merge for the next 4.13-rcX
release.
Thanks,
-Paul
---
The following changes since commit cd33f5f2cbfaadc21270f3ddac7c3c33e0a1a28c:
audit: make sure we never skip the multicast broadcast
(2017-06-16 11:51:00 -0400)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-4.13
for you to fetch changes up to b0659ae5e30074ede1dc08f2c6d64f0c11d64e0f:
audit: fix memleak in auditd_send_unicast_skb. (2017-07-19 10:28:54 -0400)
----------------------------------------------------------------
Shu Wang (1):
audit: fix memleak in auditd_send_unicast_skb.
kernel/audit.c | 1 +
1 file changed, 1 insertion(+)
--
paul moore
www.paul-moore.com
8 years
ENRICHED log_format not encoding all parameters
by Peter KRIVANSKY
Hello together,
I am writing to this mailing list as I have not found any working solution online.
We use the audit with ENRICHED log_format, but we see lots of parameters not being decoded from HEX,
Here are the auditd settings:
log_file = /var/log/audit/audit.log
log_format = ENRICHED
log_group = root
priority_boost = 4
flush = incremental
freq = 6000
num_logs = 10
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = hostname
max_log_file = 30
max_log_file_action = ROTATE
space_left = 150
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 100
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
Installed audit Version:
2.6.5-3.el7_3.1
Here the problem parts of the Audit log (parameter a2):
node=hostname.domain.tld type=EXECVE msg=audit(1500536092.301:232170298): argc=3 a0="/bin/sh" a1="-c" a2=2F7573722F6C6F63616C2F6E6167696F732F6C6962657865632F636865636B5F6E727065202D32202D482031302E3130302E3135302E313732202D702035363636202D6320436865636B46696C6573202D74203230202D6120706174683D463A2F636C656172696E672F6D6366742F706F736569646F6E2F206D61782D6469722D64657074683D30207061747465726E3D2A33335F303535305F4C5F2A2E434B38202266696C7465723D7772697474656E206C74202D33306D20414E442073697A652067742031306222204D6178437269743D31
not decoded parameter (a14) in the middle:
node= hostname.domain.tld type=EXECVE msg=audit(1500536092.303:232170300): argc=16 a0="/usr/local/nagios/libexec/check_nrpe" a1="-2" a2="-H" a3="10.100.0.0" a4="-p" a5="5666" a6="-c" a7="CheckFiles" a8="-t" a9="20" a10="-a" a11="path=F:/clearing/mcft/poseidon/" a12="max-dir-depth=0" a13="pattern=*33_0550_L_*.CK8" a14=66696C7465723D7772697474656E206C74202D33306D20414E442073697A6520677420313062 a15="MaxCrit=1"
We need ENRICHED log_formad so we can analyze audit logs on a central Log server. I tried to increase the „priority_boost“ parameter to 6, and increased the „freq“ param. to 6000 to give the auditd more time for decoding. None of the mentioned helped.
What I don’t understand is that sometimes it’s the last parameters which is not decoded, and sometimes it one in the middle. See example above
Any kind of advice is welcome
With kind regards
Peter
This email and its content belong to Ingenico Group. The enclosed information is confidential and may not be disclosed to any unauthorized person. If you have received it by mistake do not forward it and delete it from your system. Cet email et son contenu sont la propriété du Groupe Ingenico. L’information qu’il contient est confidentielle et ne peut être communiquée à des personnes non autorisées. Si vous l’avez reçu par erreur ne le transférez pas et supprimez-le.
8 years
[PATCH] audit: fix memleak in auditd_send_unicast_skb.
by shuwang@redhat.com
From: Shu Wang <shuwang(a)redhat.com>
Found this issue by kmemleak report, auditd_send_unicast_skb
did not free skb if rcu_dereference(auditd_conn) returns null.
unreferenced object 0xffff88082568ce00 (size 256):
comm "auditd", pid 1119, jiffies 4294708499
backtrace:
[<ffffffff8176166a>] kmemleak_alloc+0x4a/0xa0
[<ffffffff8121820c>] kmem_cache_alloc_node+0xcc/0x210
[<ffffffff8161b99d>] __alloc_skb+0x5d/0x290
[<ffffffff8113c614>] audit_make_reply+0x54/0xd0
[<ffffffff8113dfa7>] audit_receive_msg+0x967/0xd70
----------------
(gdb) list *audit_receive_msg+0x967
0xffffffff8113dff7 is in audit_receive_msg (kernel/audit.c:1133).
1132 skb = audit_make_reply(0, AUDIT_REPLACE, 0,
0, &pvnr, sizeof(pvnr));
---------------
[<ffffffff8113e402>] audit_receive+0x52/0xa0
[<ffffffff8166c561>] netlink_unicast+0x181/0x240
[<ffffffff8166c8e2>] netlink_sendmsg+0x2c2/0x3b0
[<ffffffff816112e8>] sock_sendmsg+0x38/0x50
[<ffffffff816117a2>] SYSC_sendto+0x102/0x190
[<ffffffff81612f4e>] SyS_sendto+0xe/0x10
[<ffffffff8176d337>] entry_SYSCALL_64_fastpath+0x1a/0xa5
[<ffffffffffffffff>] 0xffffffffffffffff
Signed-off-by: Shu Wang <shuwang(a)redhat.com>
---
kernel/audit.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index 833267b..6dd5569 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -641,6 +641,7 @@ static int auditd_send_unicast_skb(struct sk_buff *skb)
ac = rcu_dereference(auditd_conn);
if (!ac) {
rcu_read_unlock();
+ kfree_skb(skb);
rc = -ECONNREFUSED;
goto err;
}
--
2.5.0
8 years
[PATCH] Free skb at error context in auditd_send_unicast_skb().
by Masami Ichikawa
I got following memory leak reports by kmemleak.
unreferenced object 0xffff965962fa0600 (size 256):
comm "auditd", pid 401, jiffies 4294671604 (age 62.331s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffffb8859baa>] kmemleak_alloc+0x4a/0xa0
[<ffffffffb8238a96>] kmem_cache_alloc_node+0x146/0x1f0
[<ffffffffb870e52b>] __alloc_skb+0x5b/0x1e0
[<ffffffffb814fc5c>] audit_make_reply+0x5c/0xd0
[<ffffffffb815160a>] audit_receive_msg+0xa1a/0xe60
[<ffffffffb8151aa3>] audit_receive+0x53/0xa0
[<ffffffffb875e95b>] netlink_unicast+0x18b/0x220
[<ffffffffb875ecb5>] netlink_sendmsg+0x2c5/0x3c0
[<ffffffffb8705008>] sock_sendmsg+0x38/0x50
[<ffffffffb870558f>] SYSC_sendto+0x13f/0x180
[<ffffffffb870608e>] SyS_sendto+0xe/0x10
[<ffffffffb8003a57>] do_syscall_64+0x67/0x140
[<ffffffffb8865ca7>] return_from_SYSCALL_64+0x0/0x6a
[<ffffffffffffffff>] 0xffffffffffffffff
unreferenced object 0xffff96595a9da600 (size 512):
comm "auditd", pid 401, jiffies 4294671604 (age 62.331s)
hex dump (first 32 bytes):
14 00 00 00 31 05 00 00 00 00 00 00 00 00 00 00 ....1...........
91 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffffb8859baa>] kmemleak_alloc+0x4a/0xa0
[<ffffffffb823c8a3>] __kmalloc_node_track_caller+0x233/0x2f0
[<ffffffffb870d9d1>] __kmalloc_reserve.isra.38+0x31/0x90
[<ffffffffb870e557>] __alloc_skb+0x87/0x1e0
[<ffffffffb814fc5c>] audit_make_reply+0x5c/0xd0
[<ffffffffb815160a>] audit_receive_msg+0xa1a/0xe60
[<ffffffffb8151aa3>] audit_receive+0x53/0xa0
[<ffffffffb875e95b>] netlink_unicast+0x18b/0x220
[<ffffffffb875ecb5>] netlink_sendmsg+0x2c5/0x3c0
[<ffffffffb8705008>] sock_sendmsg+0x38/0x50
[<ffffffffb870558f>] SYSC_sendto+0x13f/0x180
[<ffffffffb870608e>] SyS_sendto+0xe/0x10
[<ffffffffb8003a57>] do_syscall_64+0x67/0x140
[<ffffffffb8865ca7>] return_from_SYSCALL_64+0x0/0x6a
[<ffffffffffffffff>] 0xffffffffffffffff
These skb objects have been allocated in audit_replace().
If some error happened in auditd_send_unicast_skb(), skb is needed
to be freed.
Signed-off-by: Masami Ichikawa <masami256(a)gmail.com>
---
kernel/audit.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index 833267bbd80b..789f4cc1f481 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -659,6 +659,7 @@ static int auditd_send_unicast_skb(struct sk_buff *skb)
err:
if (ac && rc == -ECONNREFUSED)
auditd_reset(ac);
+ kfree_skb(skb);
return rc;
}
--
2.13.0
8 years
[PATCH 00/15] v3 kernel core pieces refcount conversions
by Elena Reshetova
Changes in v3:
* SoB chain corrected
* minor corrections based on v2 feedback
* rebase on linux-next/master as of today
Changes in v2:
* dropped already merged patches
* rebase on top of linux-next/master
* Now by default refcount_t = atomic_t (*) and uses all atomic
standard operations unless CONFIG_REFCOUNT_FULL is enabled.
This is a compromise for the systems that are critical on
performance (such as net) and cannot accept even slight delay
on the refcounter operations.
This series, for core kernel components, replaces atomic_t reference
counters with the new refcount_t type and API (see include/linux/refcount.h).
By doing this we prevent intentional or accidental
underflows or overflows that can led to use-after-free vulnerabilities.
The patches are fully independent and can be cherry-picked separately.
If there are no objections to the patches, please merge them via respective trees.
If you want to test with refcount_t protection enabled, CONFIG_REFCOUNT_FULL
must be enabled.
* The respective change is currently merged into -next as
"locking/refcount: Create unchecked atomic_t implementation".
Elena Reshetova (15):
kernel: convert sighand_struct.count from atomic_t to refcount_t
kernel: convert signal_struct.sigcnt from atomic_t to refcount_t
kernel: convert user_struct.__count from atomic_t to refcount_t
kernel: convert task_struct.usage from atomic_t to refcount_t
kernel: convert task_struct.stack_refcount from atomic_t to refcount_t
kernel: convert perf_event_context.refcount from atomic_t to
refcount_t
kernel: convert ring_buffer.refcount from atomic_t to refcount_t
kernel: convert ring_buffer.aux_refcount from atomic_t to refcount_t
kernel: convert uprobe.ref from atomic_t to refcount_t
kernel: convert nsproxy.count from atomic_t to refcount_t
kernel: convert group_info.usage from atomic_t to refcount_t
kernel: convert cred.usage from atomic_t to refcount_t
sched: convert numa_group.refcount from atomic_t to refcount_t
kernel: convert futex_pi_state.refcount from atomic_t to refcount_t
kernel: convert kcov.refcount from atomic_t to refcount_t
fs/exec.c | 4 ++--
fs/proc/task_nommu.c | 2 +-
include/linux/cred.h | 13 ++++++------
include/linux/init_task.h | 7 +++---
include/linux/nsproxy.h | 6 +++---
include/linux/perf_event.h | 3 ++-
include/linux/sched.h | 5 +++--
include/linux/sched/signal.h | 5 +++--
include/linux/sched/task.h | 4 ++--
include/linux/sched/task_stack.h | 2 +-
include/linux/sched/user.h | 5 +++--
kernel/cred.c | 46 ++++++++++++++++++++--------------------
kernel/events/core.c | 18 ++++++++--------
kernel/events/internal.h | 5 +++--
kernel/events/ring_buffer.c | 8 +++----
kernel/events/uprobes.c | 8 +++----
kernel/fork.c | 24 ++++++++++-----------
kernel/futex.c | 13 ++++++------
kernel/groups.c | 2 +-
kernel/kcov.c | 9 ++++----
kernel/nsproxy.c | 6 +++---
kernel/sched/fair.c | 8 +++----
kernel/user.c | 8 +++----
23 files changed, 110 insertions(+), 101 deletions(-)
--
2.7.4
8 years
AUDITs needed
by warron.french
This may be faster and also a better way to summarize and share with others.
I will list the AUDIT(test#letter) and then below it place *Method of
implementation:* and if the field is marked in green, it is validated by
someone
from linux-audit(a)redhat.com (Steve Grubb for example) and the text provided
will answer the question for other sysadmins with similar requirements (on
a per test#letter basis).
I am presenting what I need to know how to audit, in hopes to illicit a
response of "BUILTIN" or a link or some text that clarifies what to do:
*AUDIT(A): Logons/Logoffs (success/failure)*
Method of implementation: Builtin to AUDITD (enable auditd)
*AUDIT(B): User {additions, deletions, modifications, suspensions and
lockings}*
Method of implementation: Builtin to AUDITD (enable auditd)
*AUDIT(C): Group and Role {additions, deletions and modifications}*
Method of implementation: Builtin to AUDITD (enable auditd)
*AUDITD(D): Security or Audit Policies*
Method of implementation:
*AUDIT(E): Configuration Changes* (please be patient with me, as I believe
this is way too broad a definition from my security people; however, there
is a field from aureport called "*Number of changes in configuration:*" too.
Method of implementation:
can this be done by; *-w /etc/ -p raw -k config_changes* even
this seems too broad a solution and I don't believe it will capture the
essence of
*AUDIT(E).*
*AUDIT(F): Admin/Root-level accesses*
Method of implementation:
can this be done by; *-w /bin/su -p x -k running_as_root -w /bin/sudo
-p x -k running_as_root -w /sbin/runuser -p x -k running_as_root*
*AUDIT(G): Privilege/Role Escalation *(I need to ask how this differs from
AUDIT(F) from my management/security people)
Method of implementation:
*AUDIT(H): System reboot/shutdown/change run-state*Method of implementation:
can this be done by; *-w /sbin/init -p x -k run_state -w
/sbin/telinit -p x -k run_state*
*-w /sbin/shutdown -p x -k run_state -w /sbin/reboot -p x -k run_state
etc.. etc.. etc..*
*AUDIT(I): Application Initialization* (seems way to vague to me, don't
you all agree?)
Method of implementation:
*AUDIT(J): Writes/Downloads to external devices (thumdrives,media *(like
DvDs/CD), etc..
*)*Method of implementation:
can this be done by -a .... -F arch=b64 -S mount -S umount2 -F auid>=1000
-F auid!=4294967295 -k mount_datawrite_operations? No, what do I use?
*AUDIT(K): Print to a device or file*Method of implementation:
*AUDIT(L): Audit data and log data access *(nevremind, this would kill a
system - correct, unless I limit monitoring to audit.log.*)
Method of implementation:
*AUDIT(M): Device attach/detach mount/dismount *(Perhaps this would catch 1
or more than 1 individual doing something devious as a team in conjunction
with *AUDIT(J)*?)
Method of implementation:
Thank you for your vast patience and cooperation.
--------------------------
Warron French
8 years
