How do I get complete list of audit event types - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

How do I get complete list of audit event types

[PATCH 0/2] lost_reset: alt fix...

Pidgin, 4.14 and App Armor Oops.

Satish Chandra Kilaru

Tuesday, 8 April 2014 Tue, 8 Apr '14

9:53 a.m.

Hi I want to understand the logs in /var/log/audit/audit.log. Where can I get complete list of audit event types and what they mean? --Satish Please Donate to www.wikipedia.org

Attachments:

attachment.html (text/html — 291 bytes)

Reply

Show replies by date

Steve Grubb

Tuesday, 8 April Tue, 8 Apr

3:41 p.m.

On Tuesday, April 08, 2014 10:53:40 AM Satish Chandra Kilaru wrote:

Hi I want to understand the logs in /var/log/audit/audit.log. Where can I get complete list of audit event types

ausearch -m help 2>&1 | tr ' ' '\n' | egrep '^[A-Z]' | egrep -v 'ALL|Valid' | sort

and what they mean?

Each event type has some comment in the header files /usr/include/libaudit.h and /usr/include/linux/audit.h. There is also some documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Lin... And I want to think some other distros have docs as well. -Steve

Reply

Satish Chandra Kilaru

3:47 p.m.

Thank you. On Tue, Apr 8, 2014 at 4:41 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:

On Tuesday, April 08, 2014 10:53:40 AM Satish Chandra Kilaru wrote: > Hi > > I want to understand the logs in /var/log/audit/audit.log. Where can I get > complete list of audit event types ausearch -m help 2>&1 | tr ' ' '\n' | egrep '^[A-Z]' | egrep -v 'ALL|Valid' | sort > and what they mean? Each event type has some comment in the header files /usr/include/libaudit.h and /usr/include/linux/audit.h. There is also some documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Lin... And I want to think some other distros have docs as well. -Steve

-- Please Donate to www.wikipedia.org

Reply

Satish Chandra Kilaru

Wednesday, 9 April Wed, 9 Apr

10:24 a.m.

Someone might look for this info in the future... AUDIT_ADD_GROUP " User space group added " AUDIT_ADD_USER " User space user account added " AUDIT_ANOM_ABEND " Process ended abnormally " AUDIT_ANOM_ACCESS_FS Access of file or dir AUDIT_ANOM_ADD_ACCT Adding an acct AUDIT_ANOM_AMTU_FAIL AMTU failure AUDIT_ANOM_CRYPTO_FAIL Crypto system test failure AUDIT_ANOM_DEL_ACCT Deleting an acct AUDIT_ANOM_EXEC Execution of file AUDIT_ANOM_LOGIN_ACCT Login attempted to watched acct AUDIT_ANOM_LOGIN_FAILURES Failed login limit reached AUDIT_ANOM_LOGIN_LOCATION Login from forbidden location AUDIT_ANOM_LOGIN_SESSIONS Max concurrent sessions reached AUDIT_ANOM_LOGIN_TIME Login attempted at bad time AUDIT_ANOM_MAX_DAC Max DAC failures reached AUDIT_ANOM_MAX_MAC Max MAC failures reached AUDIT_ANOM_MK_EXEC Make an executable AUDIT_ANOM_MOD_ACCT Changing an acct AUDIT_ANOM_PROMISCUOUS " Device changed promiscuous mode " AUDIT_ANOM_RBAC_FAIL RBAC self test failure AUDIT_ANOM_RBAC_INTEGRITY_FAIL RBAC file integrity failure AUDIT_ANOM_ROOT_TRANS User became root AUDIT_AVC " SE Linux avc denial or grant " AUDIT_AVC_PATH " dentry, vfsmount pair from avc " AUDIT_BPRM_FCAPS " Information about fcaps increasing perms " AUDIT_CAPSET " Record showing argument to sys_capset " AUDIT_CHGRP_ID " User space group ID changed " AUDIT_CHUSER_ID " Changed user ID supplemental data " AUDIT_CONFIG_CHANGE " Audit system configuration change " AUDIT_CRED_ACQ " User space credential acquired " AUDIT_CRED_DISP " User space credential disposed " AUDIT_CRED_REFR " User space credential refreshed " AUDIT_CRYPTO_FAILURE_USER " Fail decrypt,encrypt,randomiz " AUDIT_CRYPTO_KEY_USER " Create,delete,negotiate " AUDIT_CRYPTO_LOGIN " Logged in as crypto officer " AUDIT_CRYPTO_LOGOUT " Logged out from crypto " AUDIT_CRYPTO_PARAM_CHANGE_USER " Crypto attribute change " AUDIT_CRYPTO_REPLAY_USER " Crypto replay detected " AUDIT_CRYPTO_SESSION " Record parameters set during AUDIT_CRYPTO_TEST_USER " Crypto test results " AUDIT_CWD " Current working directory " AUDIT_DAC_CHECK " User space DAC check results " AUDIT_DAEMON_ABORT " Daemon error stop record " AUDIT_DAEMON_ACCEPT " Auditd accepted remote connection " AUDIT_DAEMON_CLOSE " Auditd closed remote connection " AUDIT_DAEMON_CONFIG " Daemon config change " AUDIT_DAEMON_END " Daemon normal stop record " AUDIT_DAEMON_RESUME " Auditd should resume logging " AUDIT_DAEMON_ROTATE " Auditd should rotate logs " AUDIT_DAEMON_START " Daemon startup record " AUDIT_DEL_GROUP " User space group deleted " AUDIT_DEL_USER " User space user account deleted " AUDIT_EOE " End of multi-record event " AUDIT_EXECVE " execve arguments " AUDIT_FD_PAIR " audit record for pipe AUDIT_FS_RELABEL " Filesystem relabeled " AUDIT_GRP_AUTH " Authentication for group password " AUDIT_INTEGRITY_DATA #ifndef AUDIT_INTEGRITY_DATA " Data integrity verification " " Data integrity verification " AUDIT_INTEGRITY_HASH " Integrity HASH type " " Integrity HASH type " AUDIT_INTEGRITY_METADATA " Metadata integrity verification " AUDIT_INTEGRITY_PCR " PCR invalidation msgs " " PCR invalidation msgs " AUDIT_INTEGRITY_RULE " Policy rule " " policy rule " AUDIT_INTEGRITY_STATUS " Integrity enable status " " Integrity enable status " AUDIT_IPC " IPC record " AUDIT_IPC_SET_PERM " IPC new permissions record type " AUDIT_KERNEL " Asynchronous audit record. NOT A REQUEST. " AUDIT_KERNEL_OTHER " For use by 3rd party modules " AUDIT_LABEL_LEVEL_CHANGE " Object's level was changed " AUDIT_LABEL_OVERRIDE " Admin is overriding a label " AUDIT_LOGIN " Define the login id and information " AUDIT_MAC_CIPSOV4_ADD " NetLabel: add CIPSOv4 DOI entry " AUDIT_MAC_CIPSOV4_DEL " NetLabel: del CIPSOv4 DOI entry " AUDIT_MAC_CONFIG_CHANGE " Changes to booleans " AUDIT_MAC_IPSEC_ADDSA " Not used " AUDIT_MAC_IPSEC_ADDSPD " Not used " AUDIT_MAC_IPSEC_DELSA " Not used " AUDIT_MAC_IPSEC_DELSPD " Not used " AUDIT_MAC_IPSEC_EVENT " Audit an IPSec event " AUDIT_MAC_MAP_ADD " NetLabel: add LSM domain mapping " AUDIT_MAC_MAP_DEL " NetLabel: del LSM domain mapping " AUDIT_MAC_POLICY_LOAD " Policy file load " AUDIT_MAC_STATUS " Changed enforcing,permissive,off " AUDIT_MAC_UNLBL_STCADD " NetLabel: add a static label " AUDIT_MAC_UNLBL_STCDEL " NetLabel: del a static label " AUDIT_MMAP #ifndef AUDIT_MMAP " Descriptor and flags in mmap " " Record showing descriptor and flags in mmap " AUDIT_MQ_GETSETATTR " POSIX MQ get AUDIT_MQ_NOTIFY " POSIX MQ notify record type " AUDIT_MQ_OPEN " POSIX MQ open record type " AUDIT_MQ_SENDRECV " POSIX MQ send AUDIT_NETFILTER_CFG #ifndef AUDIT_NETFILTER_CFG " Netfilter chain modifications " " Netfilter chain modifications " AUDIT_NETFILTER_PKT #ifndef AUDIT_NETFILTER_PKT " Packets traversing netfilter chains " " Packets traversing netfilter chains " AUDIT_OBJ_PID " ptrace target " AUDIT_PATH " Filename path information " AUDIT_RESP_ACCT_LOCK " User acct was locked " AUDIT_RESP_ACCT_LOCK_TIMED " User acct locked for time " AUDIT_RESP_ACCT_REMOTE " Acct locked from remote access" AUDIT_RESP_ACCT_UNLOCK_TIMED " User acct unlocked from time " AUDIT_RESP_ALERT " Alert email was sent " AUDIT_RESP_ANOMALY " Anomaly not reacted to " AUDIT_RESP_EXEC " Execute a script " AUDIT_RESP_HALT " take the system down " AUDIT_RESP_KILL_PROC " Kill program " AUDIT_RESP_SEBOOL " Set an SE Linux boolean " AUDIT_RESP_SINGLE " Go to single user mode " AUDIT_RESP_TERM_ACCESS " Terminate session " AUDIT_RESP_TERM_LOCK " Terminal was locked " AUDIT_ROLE_ASSIGN " Admin assigned user to role " AUDIT_ROLE_MODIFY " Admin modified a role " AUDIT_ROLE_REMOVE " Admin removed user from role " AUDIT_SELINUX_ERR " Internal SE Linux Errors " AUDIT_SERVICE_START " Service (daemon) start " AUDIT_SERVICE_STOP " Service (daemon) stop " AUDIT_SOCKADDR " sockaddr copied as syscall arg " AUDIT_SYSTEM_BOOT " System boot " AUDIT_SYSTEM_RUNLEVEL " System runlevel change " AUDIT_SYSTEM_SHUTDOWN " System shutdown " AUDIT_TEST " Used for test success messages " AUDIT_TRUSTED_APP " Trusted app msg - freestyle text " AUDIT_TTY " Input on an administrative TTY " AUDIT_USER " Message from userspace -- deprecated " AUDIT_USER_ACCT " User space acct change " AUDIT_USER_AUTH " User space authentication " AUDIT_USER_AVC " User space avc message " " We filter this differently " AUDIT_USER_CHAUTHTOK " User space acct attr changed " AUDIT_USER_CMD " User shell command and args " AUDIT_USER_END " User space session end " AUDIT_USER_ERR " User space acct state err " AUDIT_USER_LABELED_EXPORT " Object exported with label " AUDIT_USER_LOGIN " User space user has logged in " AUDIT_USER_LOGOUT " User space user has logged out " AUDIT_USER_MAC_POLICY_LOAD " Userspc daemon loaded policy " AUDIT_USER_MGMT " User space acct management " AUDIT_USER_ROLE_CHANGE " User changed to a new role " AUDIT_USER_SELINUX_ERR " SE Linux user space error " AUDIT_USER_START " User space session start " AUDIT_USER_TTY " Non-ICANON TTY input meaning " " Non-ICANON TTY input meaning " AUDIT_USER_UNLABELED_EXPORT " Object exported without label " AUDIT_USYS_CONFIG " User space system config change " AUDIT_VIRT_CONTROL " Start, Pause, Stop VM " AUDIT_VIRT_MACHINE_ID " Binding of label to VM " AUDIT_VIRT_RESOURCE " Resource assignment " On Tue, Apr 8, 2014 at 4:47 PM, Satish Chandra Kilaru <iam.kilaru(a)gmail.com>wrote:

Thank you. On Tue, Apr 8, 2014 at 4:41 PM, Steve Grubb <sgrubb(a)redhat.com> wrote: > On Tuesday, April 08, 2014 10:53:40 AM Satish Chandra Kilaru wrote: > > Hi > > > > I want to understand the logs in /var/log/audit/audit.log. Where can I > get > > complete list of audit event types > > ausearch -m help 2>&1 | tr ' ' '\n' | egrep '^[A-Z]' | egrep -v > 'ALL|Valid' | sort > > > and what they mean? > > Each event type has some comment in the header files > /usr/include/libaudit.h > and /usr/include/linux/audit.h. There is also some documentation here: > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Lin... > > And I want to think some other distros have docs as well. > > -Steve > -- Please Donate to www.wikipedia.org

-- Please Donate to www.wikipedia.org

Reply

lists_todd＠mac.com

11:23 a.m.

On Apr 9, 2014, at 8:24 AM, Satish Chandra Kilaru <iam.kilaru(a)gmail.com> wrote:

Someone might look for this info in the future... AUDIT_ADD_GROUP " User space group added " AUDIT_ADD_USER " User space user account added " AUDIT_ANOM_ABEND " Process ended abnormally “ ...

Thanks!!! Todd

Reply

Richard Guy Briggs

Thursday, 23 November Thu, 23 Nov

11:57 a.m.

On 2014-04-09 09:23, lists_todd(a)mac.com wrote:

On Apr 9, 2014, at 8:24 AM, Satish Chandra Kilaru <iam.kilaru(a)gmail.com> wrote: > Someone might look for this info in the future... > > AUDIT_ADD_GROUP " User space group added " > AUDIT_ADD_USER " User space user account added " > AUDIT_ANOM_ABEND " Process ended abnormally “ > ... Thanks!!!

This thread is a little stale, but here's a list that is being updated: https://github.com/linux-audit/audit-documentation/blob/master/specs/mess...

Todd

- RGB -- Richard Guy Briggs <rgb(a)redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635

Reply

2594

days inactive

3919

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

5 comments

4 participants

tags (0)

participants (4)

lists_todd＠mac.com
Richard Guy Briggs
Satish Chandra Kilaru
Steve Grubb