From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: message type dictionary clarifications
Date: Thu, 13 Jul 2017 17:02:22 -0400
Message-ID: <1649623.6v19s9fGL4@x2>
References: <20170713205104.GJ17720@madcap2.tricolour.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20170713205104.GJ17720@madcap2.tricolour.ca>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rbriggs@redhat.com>
List-Id: linux-audit@redhat.com

On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote:
> In the process of updating the audit message type dictionary, I came
> across a couple of differences I wanted to clear up.
> 
> The descriptions in the userspace header file don't obviously line up
> with another source.  Can I get a clarification on these two messages:
> 
> AUDIT_USER_ACCT	1101	User system access authorization
> 		Alt:	User account modification

This is access authorization. Authorization is different than authentication. 
Pam sends this event during login.


> AUDIT_USER_MGMT	1102	User account attribute change
> 		Alt:	Userspace management data

This is strictly user account attribute changes. This is usually sent by 
something like usermod of shadow-utils.


> Similarly, these weren't clear to me as to whether they were active or
> passive reports.  Do these records say that the RESPonse happenned, or
> that the RESPonse should happen?

They should record what actually happened including success or not.


> AUDIT_RESP_ALERT	2201	Alert email was sent
> AUDIT_RESP_ANOMALY	2200	Anomaly not reacted to
> AUDIT_RESP_EXEC		2210	Execute a script
> AUDIT_RESP_HALT		2212	take the system down
> AUDIT_RESP_KILL_PROC	2202	Kill program
> AUDIT_RESP_SEBOOL	2209	Set an SELinux boolean
> AUDIT_RESP_SINGLE	2211	Go to single user mode
> AUDIT_RESP_TERM_ACCESS	2203	Terminate session
> AUDIT_RESP_TERM_LOCK	2208	Terminal was locked
>
> In particular, does AUDIT_RESP_EXEC mean something as simple as a script
> was executed in response to some detected event, or intrusion detection
> program responds to a threat originating from the execution of a
> program?

It means a script was executed in response.

-Steve

> I suspect they are all active and this EXEC one means a script
> was executed in response.
> 
> Thanks!
> 
> - RGB
> 
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
> Red Hat Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit