On Saturday, May 20, 2017 9:04:37 AM EDT Lev Olshvang wrote:
Hello list
There are particularly interesting for IDS evens , like ANOM_MK_EXEC ,
This was in the now defunct prelude plugin.
ANOM_ROOT_TRANS These audit events are listed in RHEL7 Security
guide.
Not sure where this one is. But the main thing is that the ANOM and RESP
classes of events are for use by IDS and IPS respectively. I have been slowly
working my way back up the stack with the aim of providing and basic IDS/IPS
plugin that will generate all these events. I think many of ANOM ones were in
the prelude plugin and will be used again. For now they are placeholders.
-Steve
On my Ubuntu distro they are absent on user space level
/usr/include/linux/audit.h
I have RHEL7 kernel sourcel linux-3.10.0-514.16.1.el7 which I downloaded
from Centos
ANOM_MK_EXE, ANOM_ROOT_TRANS does not appear there, neither in include
linux-3.10.0-514.16.1.el7/include/uapi/linux/audit.h nor in c files
Please help me to unsderstand who sends these events ?
ThanX,
Lev
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit