Questions about enriched format and Node on RHEL 7.4
by Maupertuis Philippe
Hi,
With Rhel 7.4 just out, I am giving a try at the new audit.
Something seems strange to me.
With the default log_format = RAW in auditd.conf, I get the node= parameter right in rsyslog (through the syslog plugin).
If I switch to log_format = ENRICHED the parameter is missing altogether (no node=)
In both case local there is no node parameter in the local audit.log.
When I run ausearch --format text from the local host I never get node information.
When I run it from the data received by rsyslog (after stripping the prefix with sed 's/^.*audispd://'), I get the node information for the RAW format only.
Another point that bothers me is that I got an extra line did-unknown after each meaningful line when I use the remote content (RAW or ENRICHED)
This is what I get locally
At 16:03:55 07/08/17 fr18358, acting as root, successfully executed /bin/pkg-config
At 16:03:55 07/08/17 fr18358, acting as root, successfully executed /usr/libexec/grepconf.sh
At 16:03:55 07/08/17 fr18358, acting as root, successfully opened-file /dev/tty using grepconf.sh
At 16:03:55 07/08/17 fr18358, acting as root, successfully executed /bin/grep
This is what I get from remote data
At 15:43:52 07/08/17 fr18358, acting as root, successfully executed /bin/pkg-config
At 15:43:52 07/08/17 did-unknown
At 15:43:52 07/08/17 fr18358, acting as root, successfully executed /usr/libexec/grepconf.sh
At 15:43:52 07/08/17 did-unknown
At 15:43:52 07/08/17 fr18358, acting as root, successfully opened-file /dev/tty using grepconf.sh
At 15:43:52 07/08/17 did-unknown
At 15:43:52 07/08/17 fr18358, acting as root, successfully executed /bin/grep
Please tell me what I am doing wrong.
Philippe
!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
7 years, 4 months
- 1
- 0
Stop/Disable AUDITD on RHEL7
by warron.french
I am running RHEL 7 Server so that I can also run Red Hat Satellite.
I seem to be having resource contention problems and auditd is a part of
the problem consuming up to 22.0% according to results of the *top* command.
I have:
1. executed a *systemctl disable auditd; systemctl stop auditd* (with
an error about dependencies)
2. executed a *service auditd stop (*and the service stops but doesn't
not remain stopped).
3. Rebooting the machine after the *systemctl disable auditd *also
didn't have any effect.
I did set -e 1 in the audit.rules file so that I could stop the auditd on
my demand, but the service restarts anyway.
Thanks for your help in advance.
--------------------------
Warron French
7 years, 4 months
- 3
- 5
[PATCH] specs: update message dictionary with origin and class columns
by Richard Guy Briggs
Add the "ORIGIN" and "CLASS" columns for easier subsetting in dataframes.
The "ORIGIN" column valid values are "KERN" or "USER".
The "CLASS" column valid values are:
CTL Control messages, usually initiated by userspace audit suite
DEP Deprecated message types
IND Independent messages
SC System-call related messages
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
specs/messages/message-dictionary.csv | 393 +++++++++++++++++----------------
1 files changed, 197 insertions(+), 196 deletions(-)
diff --git a/specs/messages/message-dictionary.csv b/specs/messages/message-dictionary.csv
index 9831236..03e43a2 100644
--- a/specs/messages/message-dictionary.csv
+++ b/specs/messages/message-dictionary.csv
@@ -1,196 +1,197 @@
-MACRO NAME,VALUE,DESCRIPITON
-AUDIT_GET,1000,Get status
-AUDIT_SET,1001,Set status (enable/disable/auditd)
-AUDIT_LIST,1002,List syscall rules -- deprecated
-AUDIT_ADD,1003,Add syscall rule -- deprecated
-AUDIT_DEL,1004,Delete syscall rule -- deprecated
-AUDIT_USER,1005,Message from userspace -- deprecated
-AUDIT_LOGIN,1006,Define the login ID and information
-AUDIT_WATCH_INS,1007,Insert file/dir watch entry
-AUDIT_WATCH_REM,1008,Remove file/dir watch entry
-AUDIT_WATCH_LIST,1009,List all file/dir watches
-AUDIT_SIGNAL_INFO,1010,Get info about sender of signal to auditd
-AUDIT_ADD_RULE,1011,Add syscall filtering rule
-AUDIT_DEL_RULE,1012,Delete syscall filtering rule
-AUDIT_LIST_RULES,1013,List syscall filtering rules
-AUDIT_TRIM,1014,Trim junk from watched tree
-AUDIT_MAKE_EQUIV,1015,Append to watched tree
-AUDIT_TTY_GET,1016,Get TTY auditing status
-AUDIT_TTY_SET,1017,Set TTY auditing status
-AUDIT_SET_FEATURE,1018,Turn an audit feature on or off
-AUDIT_GET_FEATURE,1019,Get which features are enabled
-AUDIT_USER_AUTH,1100,User system access authentication
-AUDIT_USER_ACCT,1101,User system access authorization
-AUDIT_USER_MGMT,1102,User account attribute change
-AUDIT_CRED_ACQ,1103,User credential acquired
-AUDIT_CRED_DISP,1104,User credential disposed
-AUDIT_USER_START,1105,User session start
-AUDIT_USER_END,1106,User session end
-AUDIT_USER_AVC,1107,User space AVC (Access Vector Cache) message
-AUDIT_USER_CHAUTHTOK,1108,User account password or PIN changed
-AUDIT_USER_ERR,1109,User account state error
-AUDIT_CRED_REFR,1110,User credential refreshed
-AUDIT_USYS_CONFIG,1111,User space system config change
-AUDIT_USER_LOGIN,1112,User has logged in
-AUDIT_USER_LOGOUT,1113,User has logged out
-AUDIT_ADD_USER,1114,User account added
-AUDIT_DEL_USER,1115,User account deleted
-AUDIT_ADD_GROUP,1116,Group account added
-AUDIT_DEL_GROUP,1117,Group account deleted
-AUDIT_DAC_CHECK,1118,User space DAC check results
-AUDIT_CHGRP_ID,1119,User space group ID changed
-AUDIT_TEST,1120,Used for test success messages
-AUDIT_TRUSTED_APP,1121,Trusted app msg - freestyle text
-AUDIT_USER_SELINUX_ERR,1122,SELinux user space error
-AUDIT_USER_CMD,1123,User shell command and args
-AUDIT_USER_TTY,1124,Non-ICANON TTY input meaning
-AUDIT_CHUSER_ID,1125,Changed user ID supplemental data
-AUDIT_GRP_AUTH,1126,Authentication for group password
-AUDIT_SYSTEM_BOOT,1127,System boot
-AUDIT_SYSTEM_SHUTDOWN,1128,System shutdown
-AUDIT_SYSTEM_RUNLEVEL,1129,System runlevel change
-AUDIT_SERVICE_START,1130,Service (daemon) start
-AUDIT_SERVICE_STOP,1131,Service (daemon) stop
-AUDIT_GRP_MGMT,1132,Group account attribute was modified
-AUDIT_GRP_CHAUTHTOK,1133,Group account password or PIN changed
-AUDIT_MAC_CHECK,1134,User space MAC (Mandatory Access Control) decision results
-AUDIT_ACCT_LOCK,1135,User's account locked by admin
-AUDIT_ACCT_UNLOCK,1136,User's account unlocked by admin
-AUDIT_DAEMON_START,1200,Daemon startup record
-AUDIT_DAEMON_END,1201,Daemon normal stop record
-AUDIT_DAEMON_ABORT,1202,Daemon error stop record
-AUDIT_DAEMON_CONFIG,1203,Daemon config change
-AUDIT_DAEMON_RECONFIG,1204,Auditd should reconfigure
-AUDIT_DAEMON_ROTATE,1205,Auditd should rotate logs
-AUDIT_DAEMON_RESUME,1206,Auditd should resume logging
-AUDIT_DAEMON_ACCEPT,1207,Auditd accepted remote connection
-AUDIT_DAEMON_CLOSE,1208,Auditd closed remote connection
-AUDIT_DAEMON_ERR,1209,Auditd internal error
-AUDIT_SYSCALL,1300,System call event information
-AUDIT_FS_WATCH,1301,Deprecated
-AUDIT_PATH,1302,Filename path information
-AUDIT_IPC,1303,System call IPC (Inter-Process Communication) object
-AUDIT_SOCKETCALL,1304,System call socketcall arguments
-AUDIT_CONFIG_CHANGE,1305,Audit system configuration change
-AUDIT_SOCKADDR,1306,System call socket address argument information
-AUDIT_CWD,1307,Current working directory
-AUDIT_EXECVE,1309,Arguments supplied to the execve system call
-AUDIT_IPC_SET_PERM,1311,IPC new permissions record type
-AUDIT_MQ_OPEN,1312,POSIX MQ open record type
-AUDIT_MQ_SENDRECV,1313,POSIX MQ send/receive record type
-AUDIT_MQ_NOTIFY,1314,POSIX MQ notify record type
-AUDIT_MQ_GETSETATTR,1315,POSIX MQ get/set attribute record type
-AUDIT_KERNEL_OTHER,1316,For use by 3rd party modules
-AUDIT_FD_PAIR,1317,Information for pipe and socketpair system calls
-AUDIT_OBJ_PID,1318,ptrace target
-AUDIT_TTY,1319,Input on an administrative TTY
-AUDIT_EOE,1320,End of multi-record event
-AUDIT_BPRM_FCAPS,1321,Information about file system capabilities increasing permissions
-AUDIT_CAPSET,1322,Record showing argument to sys_capset setting process-based capabilities
-AUDIT_MMAP,1323,Mmap system call file descriptor and flags
-AUDIT_NETFILTER_PKT,1324,Packets traversing netfilter chains
-AUDIT_NETFILTER_CFG,1325,Netfilter chain modifications
-AUDIT_SECCOMP,1326,Secure Computing event
-AUDIT_PROCTITLE,1327,Process Title info
-AUDIT_FEATURE_CHANGE,1328,Audit feature changed value
-AUDIT_REPLACE,1329,Replace auditd if this probe unanswerd
-AUDIT_KERN_MODULE,1330,Kernel Module events
-AUDIT_AVC,1400,SELinux AVC (Access Vector Cache) denial or grant
-AUDIT_SELINUX_ERR,1401,Internal SELinux errors
-AUDIT_AVC_PATH,1402,"dentry, vfsmount pair from AVC"
-AUDIT_MAC_POLICY_LOAD,1403,SELinux Policy file load
-AUDIT_MAC_STATUS,1404,"SELinux mode (enforcing, permissive, off) changed"
-AUDIT_MAC_CONFIG_CHANGE,1405,SELinux Boolean value modification
-AUDIT_MAC_UNLBL_ALLOW,1406,NetLabel: allow unlabeled traffic
-AUDIT_MAC_CIPSOV4_ADD,1407,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
-AUDIT_MAC_CIPSOV4_DEL,1408,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
-AUDIT_MAC_MAP_ADD,1409,NetLabel: add LSM (Linux Security Module) domain mapping
-AUDIT_MAC_MAP_DEL,1410,NetLabel: del LSM (Linux Security Module) domain mapping
-AUDIT_MAC_IPSEC_ADDSA,1411,Not used
-AUDIT_MAC_IPSEC_DELSA,1412,Not used
-AUDIT_MAC_IPSEC_ADDSPD,1413,Not used
-AUDIT_MAC_IPSEC_DELSPD,1414,Not used
-AUDIT_MAC_IPSEC_EVENT,1415,Audit an IPsec event
-AUDIT_MAC_UNLBL_STCADD,1416,NetLabel: add a static label
-AUDIT_MAC_UNLBL_STCDEL,1417,NetLabel: del a static label
-AUDIT_MAC_CALIPSO_ADD,1418,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry
-AUDIT_MAC_CALIPSO_DEL,1419,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry
-AUDIT_AA,1500,
-AUDIT_APPARMOR_AUDIT,1501,
-AUDIT_APPARMOR_ALLOWED,1502,
-AUDIT_APPARMOR_DENIED,1503,
-AUDIT_APPARMOR_HINT,1504,
-AUDIT_APPARMOR_STATUS,1505,
-AUDIT_APPARMOR_ERROR,1506,
-AUDIT_ANOM_PROMISCUOUS,1700,Device changed promiscuous mode
-AUDIT_ANOM_ABEND,1701,Process ended abnormally
-AUDIT_ANOM_LINK,1702,Suspicious use of file links
-AUDIT_INTEGRITY_DATA,1800,Data integrity verification
-AUDIT_INTEGRITY_METADATA,1801,Metadata integrity verification
-AUDIT_INTEGRITY_STATUS,1802,Integrity enable status
-AUDIT_INTEGRITY_HASH,1803,Integrity HASH type
-AUDIT_INTEGRITY_PCR,1804,PCR (Platform Configuration Register) invalidation messages
-AUDIT_INTEGRITY_RULE,1805,Policy rule
-AUDIT_KERNEL,2000,Kernel audit status
-AUDIT_ANOM_LOGIN_FAILURES,2100,Failed login limit reached
-AUDIT_ANOM_LOGIN_TIME,2101,Login attempted at bad time
-AUDIT_ANOM_LOGIN_SESSIONS,2102,Maximum concurrent sessions reached
-AUDIT_ANOM_LOGIN_ACCT,2103,Login attempted to watched account
-AUDIT_ANOM_LOGIN_LOCATION,2104,Login from forbidden location
-AUDIT_ANOM_MAX_DAC,2105,Max DAC (Discretionary Access Control) failures reached
-AUDIT_ANOM_MAX_MAC,2106,Max MAC (Mandatory Access Control) failures reached
-AUDIT_ANOM_AMTU_FAIL,2107,AMTU (Abstract Machine Test Utility) failure
-AUDIT_ANOM_RBAC_FAIL,2108,RBAC (Role-Based Access Control) self test failure
-AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,RBAC (Role-Based Access Control) file integrity test failure
-AUDIT_ANOM_CRYPTO_FAIL,2110,Crypto system test failure
-AUDIT_ANOM_ACCESS_FS,2111,Access of file or directory ended abnormally
-AUDIT_ANOM_EXEC,2112,Execution of file ended abnormally
-AUDIT_ANOM_MK_EXEC,2113,Make an executable
-AUDIT_ANOM_ADD_ACCT,2114,Adding a user account ended abnormally
-AUDIT_ANOM_DEL_ACCT,2115,Deleting a user account ended abnormally
-AUDIT_ANOM_MOD_ACCT,2116,Changing an account ended abnormally
-AUDIT_ANOM_ROOT_TRANS,2117,User became root
-AUDIT_RESP_ANOMALY,2200,Anomaly not reacted to
-AUDIT_RESP_ALERT,2201,Alert email was sent
-AUDIT_RESP_KILL_PROC,2202,Kill program
-AUDIT_RESP_TERM_ACCESS,2203,Terminate session
-AUDIT_RESP_ACCT_REMOTE,2204,User account locked from remote access
-AUDIT_RESP_ACCT_LOCK_TIMED,2205,User account locked for time
-AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,User account unlocked from time
-AUDIT_RESP_ACCT_LOCK,2207,User account was locked
-AUDIT_RESP_TERM_LOCK,2208,Terminal was locked
-AUDIT_RESP_SEBOOL,2209,Set an SELinux boolean
-AUDIT_RESP_EXEC,2210,Execute a script
-AUDIT_RESP_SINGLE,2211,Go to single user mode
-AUDIT_RESP_HALT,2212,Take the system down
-AUDIT_USER_ROLE_CHANGE,2300,User changed to a new SELinux role
-AUDIT_ROLE_ASSIGN,2301,Administrator assigned user to SELinux role
-AUDIT_ROLE_REMOVE,2302,Administrator removed user from SELinux role
-AUDIT_LABEL_OVERRIDE,2303,Administrator is overriding a SELinux label
-AUDIT_LABEL_LEVEL_CHANGE,2304,Object level SELinux label modified
-AUDIT_USER_LABELED_EXPORT,2305,Object exported with SELinux label
-AUDIT_USER_UNLABELED_EXPORT,2306,Object exported without SELinux label
-AUDIT_DEV_ALLOC,2307,Device was allocated
-AUDIT_DEV_DEALLOC,2308,Device was deallocated
-AUDIT_FS_RELABEL,2309,Filesystem relabeled
-AUDIT_USER_MAC_POLICY_LOAD,2310,Usersapce daemon loaded SELinux policy
-AUDIT_ROLE_MODIFY,2311,Administrator modified an SELinux role
-AUDIT_USER_MAC_CONFIG_CHANGE,2312,Change made to MAC (Mandatory Access Control) policy
-AUDIT_CRYPTO_TEST_USER,2400,Cryptographic test results
-AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,Cryptographic attribute change
-AUDIT_CRYPTO_LOGIN,2402,Cryptographic officer login
-AUDIT_CRYPTO_LOGOUT,2403,Cryptographic officer logout
-AUDIT_CRYPTO_KEY_USER,2404,"Create, delete, negotiate cryptographic key identifier"
-AUDIT_CRYPTO_FAILURE_USER,2405,"Fail decrypt, encrypt or randomize operation"
-AUDIT_CRYPTO_REPLAY_USER,2406,Cryptographic replay attack detected
-AUDIT_CRYPTO_SESSION,2407,Parameters set during TLS session establishment
-AUDIT_CRYPTO_IKE_SA,2408,Parameters related to IKE SA
-AUDIT_CRYPTO_IPSEC_SA,2409,Parameters related to IPSEC SA
-AUDIT_VIRT_CONTROL,2500,"Start, Pause, Stop VM"
-AUDIT_VIRT_RESOURCE,2501,Resource assignment
-AUDIT_VIRT_MACHINE_ID,2502,Binding of label to VM
-AUDIT_VIRT_INTEGRITY_CHECK,2503,Guest integrity results
-AUDIT_VIRT_CREATE,2504,Creation of guest image
-AUDIT_VIRT_DESTROY,2505,Destruction of guest image
-AUDIT_VIRT_MIGRATE_IN,2506,Inbound guest migration info
-AUDIT_VIRT_MIGRATE_OUT,2507,Outbound guest migration info
+MACRO NAME,VALUE,ORIGIN,CLASS,DESCRIPITON
+AUDIT_GET,1000,USER,CTL,Get status
+AUDIT_SET,1001,USER,CTL,Set status (enable/disable/auditd)
+AUDIT_LIST,1002,USER,DEP,List syscall rules -- deprecated
+AUDIT_ADD,1003,USER,DEP,Add syscall rule -- deprecated
+AUDIT_DEL,1004,USER,DEP,Delete syscall rule -- deprecated
+AUDIT_USER,1005,USER,DEP,Message from userspace -- deprecated
+AUDIT_LOGIN,1006,KERN,IND,Define the login ID and information
+AUDIT_WATCH_INS,1007,USER,DEP,Insert file/dir watch entry
+AUDIT_WATCH_REM,1008,USER,DEP,Remove file/dir watch entry
+AUDIT_WATCH_LIST,1009,USER,DEP,List all file/dir watches
+AUDIT_SIGNAL_INFO,1010,USER,CTL,Get info about sender of signal to auditd
+AUDIT_ADD_RULE,1011,USER,CTL,Add syscall filtering rule
+AUDIT_DEL_RULE,1012,USER,CTL,Delete syscall filtering rule
+AUDIT_LIST_RULES,1013,USER,CTL,List syscall filtering rules
+AUDIT_TRIM,1014,USER,CTL,Trim junk from watched tree
+AUDIT_MAKE_EQUIV,1015,USER,CTL,Append to watched tree
+AUDIT_TTY_GET,1016,USER,CTL,Get TTY auditing status
+AUDIT_TTY_SET,1017,USER,CTL,Set TTY auditing status
+AUDIT_SET_FEATURE,1018,USER,CTL,Turn an audit feature on or off
+AUDIT_GET_FEATURE,1019,USER,CTL,Get which features are enabled
+AUDIT_USER_AUTH,1100,USER,IND,User system access authentication
+AUDIT_USER_ACCT,1101,USER,IND,User system access authorization
+AUDIT_USER_MGMT,1102,USER,IND,User account attribute change
+AUDIT_CRED_ACQ,1103,USER,IND,User credential acquired
+AUDIT_CRED_DISP,1104,USER,IND,User credential disposed
+AUDIT_USER_START,1105,USER,IND,User session start
+AUDIT_USER_END,1106,USER,IND,User session end
+AUDIT_USER_AVC,1107,USER,IND,User space AVC (Access Vector Cache) message
+AUDIT_USER_CHAUTHTOK,1108,USER,IND,User account password or PIN changed
+AUDIT_USER_ERR,1109,USER,IND,User account state error
+AUDIT_CRED_REFR,1110,USER,IND,User credential refreshed
+AUDIT_USYS_CONFIG,1111,USER,IND,User space system config change
+AUDIT_USER_LOGIN,1112,USER,IND,User has logged in
+AUDIT_USER_LOGOUT,1113,USER,IND,User has logged out
+AUDIT_ADD_USER,1114,USER,IND,User account added
+AUDIT_DEL_USER,1115,USER,IND,User account deleted
+AUDIT_ADD_GROUP,1116,USER,IND,Group account added
+AUDIT_DEL_GROUP,1117,USER,IND,Group account deleted
+AUDIT_DAC_CHECK,1118,USER,IND,User space DAC check results
+AUDIT_CHGRP_ID,1119,USER,IND,User space group ID changed
+AUDIT_TEST,1120,USER,IND,Used for test success messages
+AUDIT_TRUSTED_APP,1121,USER,IND,Trusted app msg - freestyle text
+AUDIT_USER_SELINUX_ERR,1122,USER,IND,SELinux user space error
+AUDIT_USER_CMD,1123,USER,IND,User shell command and args
+AUDIT_USER_TTY,1124,USER,IND,Non-ICANON TTY input meaning
+AUDIT_CHUSER_ID,1125,USER,IND,Changed user ID supplemental data
+AUDIT_GRP_AUTH,1126,USER,IND,Authentication for group password
+AUDIT_SYSTEM_BOOT,1127,USER,IND,System boot
+AUDIT_SYSTEM_SHUTDOWN,1128,USER,IND,System shutdown
+AUDIT_SYSTEM_RUNLEVEL,1129,USER,IND,System runlevel change
+AUDIT_SERVICE_START,1130,USER,IND,Service (daemon) start
+AUDIT_SERVICE_STOP,1131,USER,IND,Service (daemon) stop
+AUDIT_GRP_MGMT,1132,USER,IND,Group account attribute was modified
+AUDIT_GRP_CHAUTHTOK,1133,USER,IND,Group account password or PIN changed
+AUDIT_MAC_CHECK,1134,USER,IND,User space MAC (Mandatory Access Control) decision results
+AUDIT_ACCT_LOCK,1135,USER,IND,User's account locked by admin
+AUDIT_ACCT_UNLOCK,1136,USER,IND,User's account unlocked by admin
+AUDIT_DAEMON_START,1200,USER,IND,Daemon startup record
+AUDIT_DAEMON_END,1201,USER,IND,Daemon normal stop record
+AUDIT_DAEMON_ABORT,1202,USER,IND,Daemon error stop record
+AUDIT_DAEMON_CONFIG,1203,USER,IND,Daemon config change
+AUDIT_DAEMON_RECONFIG,1204,USER,IND,Auditd should reconfigure
+AUDIT_DAEMON_ROTATE,1205,USER,IND,Auditd should rotate logs
+AUDIT_DAEMON_RESUME,1206,USER,IND,Auditd should resume logging
+AUDIT_DAEMON_ACCEPT,1207,USER,IND,Auditd accepted remote connection
+AUDIT_DAEMON_CLOSE,1208,USER,IND,Auditd closed remote connection
+AUDIT_DAEMON_ERR,1209,USER,IND,Auditd internal error
+AUDIT_SYSCALL,1300,KERN,SC,System call event information
+AUDIT_FS_WATCH,1301,KERN,DEP,Deprecated
+AUDIT_PATH,1302,KERN,SC,Filename path information
+AUDIT_IPC,1303,KERN,SC,System call IPC (Inter-Process Communication) object
+AUDIT_SOCKETCALL,1304,KERN,SC,System call socketcall arguments
+AUDIT_CONFIG_CHANGE,1305,KERN,IND,Audit system configuration change
+AUDIT_SOCKADDR,1306,KERN,SC,System call socket address argument information
+AUDIT_CWD,1307,KERN,SC,Current working directory
+AUDIT_EXECVE,1309,KERN,SC,Arguments supplied to the execve system call
+AUDIT_IPC_SET_PERM,1311,KERN,SC,IPC new permissions record type
+AUDIT_MQ_OPEN,1312,KERN,SC,POSIX MQ open record type
+AUDIT_MQ_SENDRECV,1313,KERN,SC,POSIX MQ send/receive record type
+AUDIT_MQ_NOTIFY,1314,KERN,SC,POSIX MQ notify record type
+AUDIT_MQ_GETSETATTR,1315,KERN,SC,POSIX MQ get/set attribute record type
+AUDIT_KERNEL_OTHER,1316,KERN,IND,For use by 3rd party modules
+AUDIT_FD_PAIR,1317,KERN,SC,Information for pipe and socketpair system calls
+AUDIT_OBJ_PID,1318,KERN,SC,ptrace target
+AUDIT_TTY,1319,KERN,IND,Input on an administrative TTY
+AUDIT_EOE,1320,KERN,CTL,End of multi-record event
+AUDIT_BPRM_FCAPS,1321,KERN,SC,Information about file system capabilities increasing permissions
+AUDIT_CAPSET,1322,KERN,SC,Record showing argument to sys_capset setting process-based capabilities
+AUDIT_MMAP,1323,KERN,SC,Mmap system call file descriptor and flags
+AUDIT_NETFILTER_PKT,1324,KERN,IND,Packets traversing netfilter chains
+AUDIT_NETFILTER_CFG,1325,KERN,IND/SC,Netfilter chain modifications
+AUDIT_SECCOMP,1326,KERN,IND,Secure Computing event
+AUDIT_PROCTITLE,1327,KERN,SC,Process Title info
+AUDIT_FEATURE_CHANGE,1328,KERN,IND,Audit feature changed value
+AUDIT_REPLACE,1329,KERN,CTL,Replace auditd if this probe unanswerd
+AUDIT_KERN_MODULE,1330,KERN,SC,Kernel Module events
+AUDIT_AVC,1400,KERN,SC,SELinux AVC (Access Vector Cache) denial or grant
+AUDIT_SELINUX_ERR,1401,KERN,SC,Internal SELinux errors
+AUDIT_AVC_PATH,1402,KERN,SC,"dentry, vfsmount pair from AVC"
+AUDIT_MAC_POLICY_LOAD,1403,KERN,SC,SELinux Policy file load
+AUDIT_MAC_STATUS,1404,KERN,SC,"SELinux mode (enforcing, permissive, off) changed"
+AUDIT_MAC_CONFIG_CHANGE,1405,KERN,SC,SELinux Boolean value modification
+AUDIT_MAC_UNLBL_ALLOW,1406,KERN,SC,NetLabel: allow unlabeled traffic
+AUDIT_MAC_CIPSOV4_ADD,1407,KERN,SC,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
+AUDIT_MAC_CIPSOV4_DEL,1408,KERN,SC,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
+AUDIT_MAC_MAP_ADD,1409,KERN,SC,NetLabel: add LSM (Linux Security Module) domain mapping
+AUDIT_MAC_MAP_DEL,1410,KERN,SC,NetLabel: del LSM (Linux Security Module) domain mapping
+AUDIT_MAC_IPSEC_ADDSA,1411,KERN,DEP,Not used
+AUDIT_MAC_IPSEC_DELSA,1412,KERN,DEP,Not used
+AUDIT_MAC_IPSEC_ADDSPD,1413,KERN,DEP,Not used
+AUDIT_MAC_IPSEC_DELSPD,1414,KERN,DEP,Not used
+AUDIT_MAC_IPSEC_EVENT,1415,KERN,SC,Audit an IPsec event
+AUDIT_MAC_UNLBL_STCADD,1416,KERN,SC,NetLabel: add a static label
+AUDIT_MAC_UNLBL_STCDEL,1417,KERN,SC,NetLabel: del a static label
+AUDIT_MAC_CALIPSO_ADD,1418,KERN,SC,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry
+AUDIT_MAC_CALIPSO_DEL,1419,KERN,SC,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry
+AUDIT_AA,1500,KERN,?,
+AUDIT_APPARMOR_AUDIT,1501,KERN,SC,
+AUDIT_APPARMOR_ALLOWED,1502,KERN,SC,
+AUDIT_APPARMOR_DENIED,1503,KERN,SC,
+AUDIT_APPARMOR_HINT,1504,KERN,SC,
+AUDIT_APPARMOR_STATUS,1505,KERN,SC,
+AUDIT_APPARMOR_ERROR,1506,KERN,SC,
+AUDIT_APPARMOR_KILL,enum1507,KERN,SC,
+AUDIT_ANOM_PROMISCUOUS,1700,KERN,SC/IND,Device changed promiscuous mode
+AUDIT_ANOM_ABEND,1701,KERN,IND,Process ended abnormally
+AUDIT_ANOM_LINK,1702,KERN,SC?,Suspicious use of file links
+AUDIT_INTEGRITY_DATA,1800,KERN,SC,Data integrity verification
+AUDIT_INTEGRITY_METADATA,1801,KERN,SC,Metadata integrity verification
+AUDIT_INTEGRITY_STATUS,1802,KERN,SC,Integrity enable status
+AUDIT_INTEGRITY_HASH,1803,KERN,SC,Integrity HASH type
+AUDIT_INTEGRITY_PCR,1804,KERN,SC,PCR (Platform Configuration Register) invalidation messages
+AUDIT_INTEGRITY_RULE,1805,KERN,SC/IND,Policy rule
+AUDIT_KERNEL,2000,KERN,IND,Kernel audit status
+AUDIT_ANOM_LOGIN_FAILURES,2100,USER,IND,Failed login limit reached
+AUDIT_ANOM_LOGIN_TIME,2101,USER,IND,Login attempted at bad time
+AUDIT_ANOM_LOGIN_SESSIONS,2102,USER,IND,Maximum concurrent sessions reached
+AUDIT_ANOM_LOGIN_ACCT,2103,USER,IND,Login attempted to watched account
+AUDIT_ANOM_LOGIN_LOCATION,2104,USER,IND,Login from forbidden location
+AUDIT_ANOM_MAX_DAC,2105,USER,IND,Max DAC (Discretionary Access Control) failures reached
+AUDIT_ANOM_MAX_MAC,2106,USER,IND,Max MAC (Mandatory Access Control) failures reached
+AUDIT_ANOM_AMTU_FAIL,2107,USER,IND,AMTU (Abstract Machine Test Utility) failure
+AUDIT_ANOM_RBAC_FAIL,2108,USER,IND,RBAC (Role-Based Access Control) self test failure
+AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,USER,IND,RBAC (Role-Based Access Control) file integrity test failure
+AUDIT_ANOM_CRYPTO_FAIL,2110,USER,IND,Crypto system test failure
+AUDIT_ANOM_ACCESS_FS,2111,USER,IND,Access of file or directory ended abnormally
+AUDIT_ANOM_EXEC,2112,USER,IND,Execution of file ended abnormally
+AUDIT_ANOM_MK_EXEC,2113,USER,IND,Make an executable
+AUDIT_ANOM_ADD_ACCT,2114,USER,IND,Adding a user account ended abnormally
+AUDIT_ANOM_DEL_ACCT,2115,USER,IND,Deleting a user account ended abnormally
+AUDIT_ANOM_MOD_ACCT,2116,USER,IND,Changing an account ended abnormally
+AUDIT_ANOM_ROOT_TRANS,2117,USER,IND,User became root
+AUDIT_RESP_ANOMALY,2200,USER,IND,Anomaly not reacted to
+AUDIT_RESP_ALERT,2201,USER,IND,Alert email was sent
+AUDIT_RESP_KILL_PROC,2202,USER,IND,Kill program
+AUDIT_RESP_TERM_ACCESS,2203,USER,IND,Terminate session
+AUDIT_RESP_ACCT_REMOTE,2204,USER,IND,User account locked from remote access
+AUDIT_RESP_ACCT_LOCK_TIMED,2205,USER,IND,User account locked for time
+AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,USER,IND,User account unlocked from time
+AUDIT_RESP_ACCT_LOCK,2207,USER,IND,User account was locked
+AUDIT_RESP_TERM_LOCK,2208,USER,IND,Terminal was locked
+AUDIT_RESP_SEBOOL,2209,USER,IND,Set an SELinux boolean
+AUDIT_RESP_EXEC,2210,USER,IND,Execute a script
+AUDIT_RESP_SINGLE,2211,USER,IND,Go to single user mode
+AUDIT_RESP_HALT,2212,USER,IND,Take the system down
+AUDIT_USER_ROLE_CHANGE,2300,USER,IND,User changed to a new SELinux role
+AUDIT_ROLE_ASSIGN,2301,USER,IND,Administrator assigned user to SELinux role
+AUDIT_ROLE_REMOVE,2302,USER,IND,Administrator removed user from SELinux role
+AUDIT_LABEL_OVERRIDE,2303,USER,IND,Administrator is overriding a SELinux label
+AUDIT_LABEL_LEVEL_CHANGE,2304,USER,IND,Object level SELinux label modified
+AUDIT_USER_LABELED_EXPORT,2305,USER,IND,Object exported with SELinux label
+AUDIT_USER_UNLABELED_EXPORT,2306,USER,IND,Object exported without SELinux label
+AUDIT_DEV_ALLOC,2307,USER,IND,Device was allocated
+AUDIT_DEV_DEALLOC,2308,USER,IND,Device was deallocated
+AUDIT_FS_RELABEL,2309,USER,IND,Filesystem relabeled
+AUDIT_USER_MAC_POLICY_LOAD,2310,USER,IND,Usersapce daemon loaded SELinux policy
+AUDIT_ROLE_MODIFY,2311,USER,IND,Administrator modified an SELinux role
+AUDIT_USER_MAC_CONFIG_CHANGE,2312,USER,IND,Change made to MAC (Mandatory Access Control) policy
+AUDIT_CRYPTO_TEST_USER,2400,USER,IND,Cryptographic test results
+AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,USER,IND,Cryptographic attribute change
+AUDIT_CRYPTO_LOGIN,2402,USER,IND,Cryptographic officer login
+AUDIT_CRYPTO_LOGOUT,2403,USER,IND,Cryptographic officer logout
+AUDIT_CRYPTO_KEY_USER,2404,USER,IND,"Create, delete, negotiate cryptographic key identifier"
+AUDIT_CRYPTO_FAILURE_USER,2405,USER,IND,"Fail decrypt, encrypt or randomize operation"
+AUDIT_CRYPTO_REPLAY_USER,2406,USER,IND,Cryptographic replay attack detected
+AUDIT_CRYPTO_SESSION,2407,USER,IND,Parameters set during TLS session establishment
+AUDIT_CRYPTO_IKE_SA,2408,USER,IND,Parameters related to IKE SA
+AUDIT_CRYPTO_IPSEC_SA,2409,USER,IND,Parameters related to IPSEC SA
+AUDIT_VIRT_CONTROL,2500,USER,IND,"Start, Pause, Stop VM"
+AUDIT_VIRT_RESOURCE,2501,USER,IND,Resource assignment
+AUDIT_VIRT_MACHINE_ID,2502,USER,IND,Binding of label to VM
+AUDIT_VIRT_INTEGRITY_CHECK,2503,USER,IND,Guest integrity results
+AUDIT_VIRT_CREATE,2504,USER,IND,Creation of guest image
+AUDIT_VIRT_DESTROY,2505,USER,IND,Destruction of guest image
+AUDIT_VIRT_MIGRATE_IN,2506,USER,IND,Inbound guest migration info
+AUDIT_VIRT_MIGRATE_OUT,2507,USER,IND,Outbound guest migration info
--
1.7.1
7 years, 5 months
- 1
- 0