Re: message type dictionary clarifications

On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote: > In the process of updating the audit message type dictionary, I came > across a couple of differences I wanted to clear up. > > The descriptions in the userspace header file don't obviously line up > with another source. Can I get a clarification on these two messages: > > AUDIT_USER_ACCT 1101 User system access authorization > Alt: User account modification This is access authorization. Authorization is different than authentication. Pam sends this event during login.

> AUDIT_USER_MGMT 1102 User account attribute change > Alt: Userspace management data This is strictly user account attribute changes. This is usually sent by something like usermod of shadow-utils.

> Similarly, these weren't clear to me as to whether they were active or > passive reports. Do these records say that the RESPonse happenned, or > that the RESPonse should happen? They should record what actually happened including success or not.

> AUDIT_RESP_ALERT 2201 Alert email was sent > AUDIT_RESP_ANOMALY 2200 Anomaly not reacted to > AUDIT_RESP_EXEC 2210 Execute a script > AUDIT_RESP_HALT 2212 take the system down > AUDIT_RESP_KILL_PROC 2202 Kill program > AUDIT_RESP_SEBOOL 2209 Set an SELinux boolean > AUDIT_RESP_SINGLE 2211 Go to single user mode > AUDIT_RESP_TERM_ACCESS 2203 Terminate session > AUDIT_RESP_TERM_LOCK 2208 Terminal was locked > > In particular, does AUDIT_RESP_EXEC mean something as simple as a script > was executed in response to some detected event, or intrusion detection > program responds to a threat originating from the execution of a > program? It means a script was executed in response.

-Steve > I suspect they are all active and this EXEC one means a script > was executed in response. > > Thanks! > > - RGB