From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rbriggs@redhat.com>
Subject: Re: message type dictionary clarifications
Date: Thu, 13 Jul 2017 17:02:22 -0400 [thread overview]
Message-ID: <1649623.6v19s9fGL4@x2> (raw)
In-Reply-To: <20170713205104.GJ17720@madcap2.tricolour.ca>
On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote:
> In the process of updating the audit message type dictionary, I came
> across a couple of differences I wanted to clear up.
>
> The descriptions in the userspace header file don't obviously line up
> with another source. Can I get a clarification on these two messages:
>
> AUDIT_USER_ACCT 1101 User system access authorization
> Alt: User account modification
This is access authorization. Authorization is different than authentication.
Pam sends this event during login.
> AUDIT_USER_MGMT 1102 User account attribute change
> Alt: Userspace management data
This is strictly user account attribute changes. This is usually sent by
something like usermod of shadow-utils.
> Similarly, these weren't clear to me as to whether they were active or
> passive reports. Do these records say that the RESPonse happenned, or
> that the RESPonse should happen?
They should record what actually happened including success or not.
> AUDIT_RESP_ALERT 2201 Alert email was sent
> AUDIT_RESP_ANOMALY 2200 Anomaly not reacted to
> AUDIT_RESP_EXEC 2210 Execute a script
> AUDIT_RESP_HALT 2212 take the system down
> AUDIT_RESP_KILL_PROC 2202 Kill program
> AUDIT_RESP_SEBOOL 2209 Set an SELinux boolean
> AUDIT_RESP_SINGLE 2211 Go to single user mode
> AUDIT_RESP_TERM_ACCESS 2203 Terminate session
> AUDIT_RESP_TERM_LOCK 2208 Terminal was locked
>
> In particular, does AUDIT_RESP_EXEC mean something as simple as a script
> was executed in response to some detected event, or intrusion detection
> program responds to a threat originating from the execution of a
> program?
It means a script was executed in response.
-Steve
> I suspect they are all active and this EXEC one means a script
> was executed in response.
>
> Thanks!
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
> Red Hat Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2017-07-13 21:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-13 20:51 message type dictionary clarifications Richard Guy Briggs
2017-07-13 21:02 ` Steve Grubb [this message]
2017-07-13 23:48 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1649623.6v19s9fGL4@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rbriggs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.