In audit logs one field which is always present is "TYPE".
What does this type indicate ?
If this type indicates the symbolic constants which are defined in linux/audit.h then types like USER_AUTH, USER_ACCT, CRED_ACQ etc are not defined in that particular file.
So how to map this symbolic constants to the numeric values.
For eg.
If type=CONFIG_CHANGE then we get numeric value for type as "1305" which is defined in file linux/audit.h
But no such values are there for type=USER_AUTH, CRED_ACQ etc.
For such type we get numeric value 1819222064. How to interpret such values.
We are adding DB support for Auditing System in which we are thinking of creating tables on the basis of blocks of the netlink msgs which are shown as below.
/* The netlink messages for the audit system is divided into blocks:
* 1000 - 1099 are for commanding the audit system (Table1)
* 1100 - 1199 user space trusted application messages (Table2)
* 1200 - 1299 messages internal to the audit daemon (Table3)
34 * 1300 - 1399 audit event messages (Table4)
35 * 1400 - 1499 SE Linux use
36 * 1500 - 1599 kernel LSPP events
37 * 1600 - 1699 kernel crypto events
38 * 1700 - 1799 kernel anomaly records
39 * 1800 - 1999 future kernel use (maybe integrity labels and related events)
40 * 2000 is for otherwise unclassified kernel audit messages (legacy)
41 * 2001 - 2099 unused (kernel)
42 * 2100 - 2199 user space anomaly records
43 * 2200 - 2299 user space actions taken in response to anomalies
44 * 2300 - 2399 user space generated LSPP events
45 * 2400 - 2499 user space crypto events
46 * 2500 - 2999 future user space (maybe integrity labels and related events)
47 *
48 * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are
49 * exclusively user space. 1300-2099 is kernel --> user space
50 * communication.
51 */
How to do it on the basis of type fields?