All of lore.kernel.org
 help / color / mirror / Atom feed
* message type dictionary clarifications
@ 2017-07-13 20:51 Richard Guy Briggs
  2017-07-13 21:02 ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: Richard Guy Briggs @ 2017-07-13 20:51 UTC (permalink / raw)
  To: linux-audit

Hi,

In the process of updating the audit message type dictionary, I came
across a couple of differences I wanted to clear up.


The descriptions in the userspace header file don't obviously line up
with another source.  Can I get a clarification on these two messages:

AUDIT_USER_ACCT	1101	User system access authorization
		Alt:	User account modification
AUDIT_USER_MGMT	1102	User account attribute change
		Alt:	Userspace management data


Similarly, these weren't clear to me as to whether they were active or
passive reports.  Do these records say that the RESPonse happenned, or
that the RESPonse should happen?

AUDIT_RESP_ALERT	2201	Alert email was sent
AUDIT_RESP_ANOMALY	2200	Anomaly not reacted to
AUDIT_RESP_EXEC		2210	Execute a script
AUDIT_RESP_HALT		2212	take the system down
AUDIT_RESP_KILL_PROC	2202	Kill program
AUDIT_RESP_SEBOOL	2209	Set an SELinux boolean
AUDIT_RESP_SINGLE	2211	Go to single user mode
AUDIT_RESP_TERM_ACCESS	2203	Terminate session
AUDIT_RESP_TERM_LOCK	2208	Terminal was locked

In particular, does AUDIT_RESP_EXEC mean something as simple as a script
was executed in response to some detected event, or intrusion detection
program responds to a threat originating from the execution of a
program?  I suspect they are all active and this EXEC one means a script
was executed in response.


Thanks!

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: message type dictionary clarifications
  2017-07-13 20:51 message type dictionary clarifications Richard Guy Briggs
@ 2017-07-13 21:02 ` Steve Grubb
  2017-07-13 23:48   ` Richard Guy Briggs
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2017-07-13 21:02 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs

On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote:
> In the process of updating the audit message type dictionary, I came
> across a couple of differences I wanted to clear up.
> 
> The descriptions in the userspace header file don't obviously line up
> with another source.  Can I get a clarification on these two messages:
> 
> AUDIT_USER_ACCT	1101	User system access authorization
> 		Alt:	User account modification

This is access authorization. Authorization is different than authentication. 
Pam sends this event during login.


> AUDIT_USER_MGMT	1102	User account attribute change
> 		Alt:	Userspace management data

This is strictly user account attribute changes. This is usually sent by 
something like usermod of shadow-utils.


> Similarly, these weren't clear to me as to whether they were active or
> passive reports.  Do these records say that the RESPonse happenned, or
> that the RESPonse should happen?

They should record what actually happened including success or not.


> AUDIT_RESP_ALERT	2201	Alert email was sent
> AUDIT_RESP_ANOMALY	2200	Anomaly not reacted to
> AUDIT_RESP_EXEC		2210	Execute a script
> AUDIT_RESP_HALT		2212	take the system down
> AUDIT_RESP_KILL_PROC	2202	Kill program
> AUDIT_RESP_SEBOOL	2209	Set an SELinux boolean
> AUDIT_RESP_SINGLE	2211	Go to single user mode
> AUDIT_RESP_TERM_ACCESS	2203	Terminate session
> AUDIT_RESP_TERM_LOCK	2208	Terminal was locked
>
> In particular, does AUDIT_RESP_EXEC mean something as simple as a script
> was executed in response to some detected event, or intrusion detection
> program responds to a threat originating from the execution of a
> program?

It means a script was executed in response.

-Steve

> I suspect they are all active and this EXEC one means a script
> was executed in response.
> 
> Thanks!
> 
> - RGB
> 
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
> Red Hat Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: message type dictionary clarifications
  2017-07-13 21:02 ` Steve Grubb
@ 2017-07-13 23:48   ` Richard Guy Briggs
  0 siblings, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2017-07-13 23:48 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

On 2017-07-13 17:02, Steve Grubb wrote:
> On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote:
> > In the process of updating the audit message type dictionary, I came
> > across a couple of differences I wanted to clear up.
> > 
> > The descriptions in the userspace header file don't obviously line up
> > with another source.  Can I get a clarification on these two messages:
> > 
> > AUDIT_USER_ACCT	1101	User system access authorization
> > 		Alt:	User account modification
> 
> This is access authorization. Authorization is different than authentication. 
> Pam sends this event during login.

Ok, I'll update the "alt" text, since it is clearly wrong.

> > AUDIT_USER_MGMT	1102	User account attribute change
> > 		Alt:	Userspace management data
> 
> This is strictly user account attribute changes. This is usually sent by 
> something like usermod of shadow-utils.

Ok, again, I'll update the "alt" text, since it is a bit vague.

> > Similarly, these weren't clear to me as to whether they were active or
> > passive reports.  Do these records say that the RESPonse happenned, or
> > that the RESPonse should happen?
> 
> They should record what actually happened including success or not.

Ok, so active.

> > AUDIT_RESP_ALERT	2201	Alert email was sent
> > AUDIT_RESP_ANOMALY	2200	Anomaly not reacted to
> > AUDIT_RESP_EXEC		2210	Execute a script
> > AUDIT_RESP_HALT		2212	take the system down
> > AUDIT_RESP_KILL_PROC	2202	Kill program
> > AUDIT_RESP_SEBOOL	2209	Set an SELinux boolean
> > AUDIT_RESP_SINGLE	2211	Go to single user mode
> > AUDIT_RESP_TERM_ACCESS	2203	Terminate session
> > AUDIT_RESP_TERM_LOCK	2208	Terminal was locked
> >
> > In particular, does AUDIT_RESP_EXEC mean something as simple as a script
> > was executed in response to some detected event, or intrusion detection
> > program responds to a threat originating from the execution of a
> > program?
> 
> It means a script was executed in response.

Ok, good, thanks.

> -Steve
> 
> > I suspect they are all active and this EXEC one means a script
> > was executed in response.
> > 
> > Thanks!
> > 
> > - RGB

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-07-13 23:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-13 20:51 message type dictionary clarifications Richard Guy Briggs
2017-07-13 21:02 ` Steve Grubb
2017-07-13 23:48   ` Richard Guy Briggs

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.