Discussion:
How do I get complete list of audit event types
(too old to reply)
Satish Chandra Kilaru
2014-04-08 14:53:40 UTC
Permalink
Raw Message
Hi

I want to understand the logs in /var/log/audit/audit.log. Where can I get
complete list of audit event types and what they mean?

--Satish
Please Donate to www.wikipedia.org
Steve Grubb
2014-04-08 20:41:02 UTC
Permalink
Raw Message
Post by Satish Chandra Kilaru
Hi
I want to understand the logs in /var/log/audit/audit.log. Where can I get
complete list of audit event types
ausearch -m help 2>&1 | tr ' ' '\n' | egrep '^[A-Z]' | egrep -v 'ALL|Valid' | sort
Post by Satish Chandra Kilaru
and what they mean?
Each event type has some comment in the header files /usr/include/libaudit.h
and /usr/include/linux/audit.h. There is also some documentation here:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html

And I want to think some other distros have docs as well.

-Steve
Satish Chandra Kilaru
2014-04-08 20:47:17 UTC
Permalink
Raw Message
Thank you.
Post by Steve Grubb
Post by Satish Chandra Kilaru
Hi
I want to understand the logs in /var/log/audit/audit.log. Where can I
get
Post by Satish Chandra Kilaru
complete list of audit event types
ausearch -m help 2>&1 | tr ' ' '\n' | egrep '^[A-Z]' | egrep -v 'ALL|Valid' | sort
Post by Satish Chandra Kilaru
and what they mean?
Each event type has some comment in the header files
/usr/include/libaudit.h
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html
And I want to think some other distros have docs as well.
-Steve
--
Please Donate to www.wikipedia.org
Satish Chandra Kilaru
2014-04-09 15:24:02 UTC
Permalink
Raw Message
Someone might look for this info in the future...

AUDIT_ADD_GROUP " User space group added "
AUDIT_ADD_USER " User space user account added "
AUDIT_ANOM_ABEND " Process ended abnormally "
AUDIT_ANOM_ACCESS_FS Access of file or dir
AUDIT_ANOM_ADD_ACCT Adding an acct
AUDIT_ANOM_AMTU_FAIL AMTU failure
AUDIT_ANOM_CRYPTO_FAIL Crypto system test failure
AUDIT_ANOM_DEL_ACCT Deleting an acct
AUDIT_ANOM_EXEC Execution of file
AUDIT_ANOM_LOGIN_ACCT Login attempted to watched acct
AUDIT_ANOM_LOGIN_FAILURES Failed login limit reached
AUDIT_ANOM_LOGIN_LOCATION Login from forbidden location
AUDIT_ANOM_LOGIN_SESSIONS Max concurrent sessions reached
AUDIT_ANOM_LOGIN_TIME Login attempted at bad time
AUDIT_ANOM_MAX_DAC Max DAC failures reached
AUDIT_ANOM_MAX_MAC Max MAC failures reached
AUDIT_ANOM_MK_EXEC Make an executable
AUDIT_ANOM_MOD_ACCT Changing an acct
AUDIT_ANOM_PROMISCUOUS " Device changed promiscuous mode "
AUDIT_ANOM_RBAC_FAIL RBAC self test failure
AUDIT_ANOM_RBAC_INTEGRITY_FAIL RBAC file integrity failure
AUDIT_ANOM_ROOT_TRANS User became root
AUDIT_AVC " SE Linux avc denial or grant "
AUDIT_AVC_PATH " dentry, vfsmount pair from avc "
AUDIT_BPRM_FCAPS " Information about fcaps increasing perms "
AUDIT_CAPSET " Record showing argument to sys_capset "
AUDIT_CHGRP_ID " User space group ID changed "
AUDIT_CHUSER_ID " Changed user ID supplemental data "
AUDIT_CONFIG_CHANGE " Audit system configuration change "
AUDIT_CRED_ACQ " User space credential acquired "
AUDIT_CRED_DISP " User space credential disposed "
AUDIT_CRED_REFR " User space credential refreshed "
AUDIT_CRYPTO_FAILURE_USER " Fail decrypt,encrypt,randomiz "
AUDIT_CRYPTO_KEY_USER " Create,delete,negotiate "
AUDIT_CRYPTO_LOGIN " Logged in as crypto officer "
AUDIT_CRYPTO_LOGOUT " Logged out from crypto "
AUDIT_CRYPTO_PARAM_CHANGE_USER " Crypto attribute change "
AUDIT_CRYPTO_REPLAY_USER " Crypto replay detected "
AUDIT_CRYPTO_SESSION " Record parameters set during
AUDIT_CRYPTO_TEST_USER " Crypto test results "
AUDIT_CWD " Current working directory "
AUDIT_DAC_CHECK " User space DAC check results "
AUDIT_DAEMON_ABORT " Daemon error stop record "
AUDIT_DAEMON_ACCEPT " Auditd accepted remote connection "
AUDIT_DAEMON_CLOSE " Auditd closed remote connection "
AUDIT_DAEMON_CONFIG " Daemon config change "
AUDIT_DAEMON_END " Daemon normal stop record "
AUDIT_DAEMON_RESUME " Auditd should resume logging "
AUDIT_DAEMON_ROTATE " Auditd should rotate logs "
AUDIT_DAEMON_START " Daemon startup record "
AUDIT_DEL_GROUP " User space group deleted "
AUDIT_DEL_USER " User space user account deleted "
AUDIT_EOE " End of multi-record event "
AUDIT_EXECVE " execve arguments "
AUDIT_FD_PAIR " audit record for pipe
AUDIT_FS_RELABEL " Filesystem relabeled "
AUDIT_GRP_AUTH " Authentication for group password "
AUDIT_INTEGRITY_DATA #ifndef AUDIT_INTEGRITY_DATA " Data integrity
verification " " Data integrity verification "
AUDIT_INTEGRITY_HASH " Integrity HASH type " " Integrity HASH type "
AUDIT_INTEGRITY_METADATA " Metadata integrity verification "
AUDIT_INTEGRITY_PCR " PCR invalidation msgs " " PCR invalidation msgs "
AUDIT_INTEGRITY_RULE " Policy rule " " policy rule "
AUDIT_INTEGRITY_STATUS " Integrity enable status " " Integrity enable
status "
AUDIT_IPC " IPC record "
AUDIT_IPC_SET_PERM " IPC new permissions record type "
AUDIT_KERNEL " Asynchronous audit record. NOT A REQUEST. "
AUDIT_KERNEL_OTHER " For use by 3rd party modules "
AUDIT_LABEL_LEVEL_CHANGE " Object's level was changed "
AUDIT_LABEL_OVERRIDE " Admin is overriding a label "
AUDIT_LOGIN " Define the login id and information "
AUDIT_MAC_CIPSOV4_ADD " NetLabel: add CIPSOv4 DOI entry "
AUDIT_MAC_CIPSOV4_DEL " NetLabel: del CIPSOv4 DOI entry "
AUDIT_MAC_CONFIG_CHANGE " Changes to booleans "
AUDIT_MAC_IPSEC_ADDSA " Not used "
AUDIT_MAC_IPSEC_ADDSPD " Not used "
AUDIT_MAC_IPSEC_DELSA " Not used "
AUDIT_MAC_IPSEC_DELSPD " Not used "
AUDIT_MAC_IPSEC_EVENT " Audit an IPSec event "
AUDIT_MAC_MAP_ADD " NetLabel: add LSM domain mapping "
AUDIT_MAC_MAP_DEL " NetLabel: del LSM domain mapping "
AUDIT_MAC_POLICY_LOAD " Policy file load "
AUDIT_MAC_STATUS " Changed enforcing,permissive,off "
AUDIT_MAC_UNLBL_STCADD " NetLabel: add a static label "
AUDIT_MAC_UNLBL_STCDEL " NetLabel: del a static label "
AUDIT_MMAP #ifndef AUDIT_MMAP " Descriptor and flags in mmap " " Record
showing descriptor and flags in mmap "
AUDIT_MQ_GETSETATTR " POSIX MQ get
AUDIT_MQ_NOTIFY " POSIX MQ notify record type "
AUDIT_MQ_OPEN " POSIX MQ open record type "
AUDIT_MQ_SENDRECV " POSIX MQ send
AUDIT_NETFILTER_CFG #ifndef AUDIT_NETFILTER_CFG " Netfilter chain
modifications " " Netfilter chain modifications "
AUDIT_NETFILTER_PKT #ifndef AUDIT_NETFILTER_PKT " Packets traversing
netfilter chains " " Packets traversing netfilter chains "
AUDIT_OBJ_PID " ptrace target "
AUDIT_PATH " Filename path information "
AUDIT_RESP_ACCT_LOCK " User acct was locked "
AUDIT_RESP_ACCT_LOCK_TIMED " User acct locked for time "
AUDIT_RESP_ACCT_REMOTE " Acct locked from remote access"
AUDIT_RESP_ACCT_UNLOCK_TIMED " User acct unlocked from time "
AUDIT_RESP_ALERT " Alert email was sent "
AUDIT_RESP_ANOMALY " Anomaly not reacted to "
AUDIT_RESP_EXEC " Execute a script "
AUDIT_RESP_HALT " take the system down "
AUDIT_RESP_KILL_PROC " Kill program "
AUDIT_RESP_SEBOOL " Set an SE Linux boolean "
AUDIT_RESP_SINGLE " Go to single user mode "
AUDIT_RESP_TERM_ACCESS " Terminate session "
AUDIT_RESP_TERM_LOCK " Terminal was locked "
AUDIT_ROLE_ASSIGN " Admin assigned user to role "
AUDIT_ROLE_MODIFY " Admin modified a role "
AUDIT_ROLE_REMOVE " Admin removed user from role "
AUDIT_SELINUX_ERR " Internal SE Linux Errors "
AUDIT_SERVICE_START " Service (daemon) start "
AUDIT_SERVICE_STOP " Service (daemon) stop "
AUDIT_SOCKADDR " sockaddr copied as syscall arg "
AUDIT_SYSTEM_BOOT " System boot "
AUDIT_SYSTEM_RUNLEVEL " System runlevel change "
AUDIT_SYSTEM_SHUTDOWN " System shutdown "
AUDIT_TEST " Used for test success messages "
AUDIT_TRUSTED_APP " Trusted app msg - freestyle text "
AUDIT_TTY " Input on an administrative TTY "
AUDIT_USER " Message from userspace -- deprecated "
AUDIT_USER_ACCT " User space acct change "
AUDIT_USER_AUTH " User space authentication "
AUDIT_USER_AVC " User space avc message " " We filter this differently "
AUDIT_USER_CHAUTHTOK " User space acct attr changed "
AUDIT_USER_CMD " User shell command and args "
AUDIT_USER_END " User space session end "
AUDIT_USER_ERR " User space acct state err "
AUDIT_USER_LABELED_EXPORT " Object exported with label "
AUDIT_USER_LOGIN " User space user has logged in "
AUDIT_USER_LOGOUT " User space user has logged out "
AUDIT_USER_MAC_POLICY_LOAD " Userspc daemon loaded policy "
AUDIT_USER_MGMT " User space acct management "
AUDIT_USER_ROLE_CHANGE " User changed to a new role "
AUDIT_USER_SELINUX_ERR " SE Linux user space error "
AUDIT_USER_START " User space session start "
AUDIT_USER_TTY " Non-ICANON TTY input meaning " " Non-ICANON TTY input
meaning "
AUDIT_USER_UNLABELED_EXPORT " Object exported without label "
AUDIT_USYS_CONFIG " User space system config change "
AUDIT_VIRT_CONTROL " Start, Pause, Stop VM "
AUDIT_VIRT_MACHINE_ID " Binding of label to VM "
AUDIT_VIRT_RESOURCE " Resource assignment "


On Tue, Apr 8, 2014 at 4:47 PM, Satish Chandra Kilaru
Post by Satish Chandra Kilaru
Thank you.
Post by Steve Grubb
Post by Satish Chandra Kilaru
Hi
I want to understand the logs in /var/log/audit/audit.log. Where can I
get
Post by Satish Chandra Kilaru
complete list of audit event types
ausearch -m help 2>&1 | tr ' ' '\n' | egrep '^[A-Z]' | egrep -v 'ALL|Valid' | sort
Post by Satish Chandra Kilaru
and what they mean?
Each event type has some comment in the header files
/usr/include/libaudit.h
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html
And I want to think some other distros have docs as well.
-Steve
--
Please Donate to www.wikipedia.org
--
Please Donate to www.wikipedia.org
l***@mac.com
2014-04-09 16:23:56 UTC
Permalink
Raw Message
Post by Satish Chandra Kilaru
Someone might look for this info in the future...
AUDIT_ADD_GROUP " User space group added "
AUDIT_ADD_USER " User space user account added "
AUDIT_ANOM_ABEND " Process ended abnormally “
...
Thanks!!!

Todd
Richard Guy Briggs
2017-11-23 17:57:21 UTC
Permalink
Raw Message
Post by l***@mac.com
Post by Satish Chandra Kilaru
Someone might look for this info in the future...
AUDIT_ADD_GROUP " User space group added "
AUDIT_ADD_USER " User space user account added "
AUDIT_ANOM_ABEND " Process ended abnormally “
...
Thanks!!!
This thread is a little stale, but here's a list that is being updated:

https://github.com/linux-audit/audit-documentation/blob/master/specs/messages/message-dictionary.csv
Post by l***@mac.com
Todd
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Loading...