On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote:
In the process of updating the audit message type dictionary, I came
across a couple of differences I wanted to clear up.
The descriptions in the userspace header file don't obviously line up
with another source. Can I get a clarification on these two messages:
AUDIT_USER_ACCT 1101 User system access authorization
Alt: User account modification
This is access authorization. Authorization is different than authentication.
Pam sends this event during login.
AUDIT_USER_MGMT 1102 User account attribute change
Alt: Userspace management data
This is strictly user account attribute changes. This is usually sent by
something like usermod of shadow-utils.
Similarly, these weren't clear to me as to whether they were
active or
passive reports. Do these records say that the RESPonse happenned, or
that the RESPonse should happen?
They should record what actually happened including success or not.
AUDIT_RESP_ALERT 2201 Alert email was sent
AUDIT_RESP_ANOMALY 2200 Anomaly not reacted to
AUDIT_RESP_EXEC 2210 Execute a script
AUDIT_RESP_HALT 2212 take the system down
AUDIT_RESP_KILL_PROC 2202 Kill program
AUDIT_RESP_SEBOOL 2209 Set an SELinux boolean
AUDIT_RESP_SINGLE 2211 Go to single user mode
AUDIT_RESP_TERM_ACCESS 2203 Terminate session
AUDIT_RESP_TERM_LOCK 2208 Terminal was locked
In particular, does AUDIT_RESP_EXEC mean something as simple as a script
was executed in response to some detected event, or intrusion detection
program responds to a threat originating from the execution of a
program?
It means a script was executed in response.
-Steve
I suspect they are all active and this EXEC one means a script
was executed in response.
Thanks!
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
Red Hat Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit