All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: kunal chandarana <chandarana.kunal@gmail.com>
Subject: Re: Linux-audit Digest, Vol 40, Issue 8
Date: Mon, 14 Jan 2008 06:27:28 -0500	[thread overview]
Message-ID: <200801140627.28303.sgrubb@redhat.com> (raw)
In-Reply-To: <770716a30801140306x5d7e5d9cha9f812aa8fe6f3fa@mail.gmail.com>

On Monday 14 January 2008 06:06:33 kunal chandarana wrote:
> In audit logs one field which is always present is "TYPE".
>
> What does this type indicate ?

It signifies the record's type.


> If this type indicates the symbolic constants which are defined in
> linux/audit.h then types like USER_AUTH, USER_ACCT, CRED_ACQ etc are not
> defined in that particular file.

in audit.h, things are name spaced so they don't collide with defines 
elsewhere. They all have an AUDIT_ prefix. So, if you wanted to mape them, 
AUDIT_USER_LOGIN would be printed as USER_LOGIN. There is a function that 
does this mapping from number to string and another string to number. From 
libaudit.h:

extern int        audit_name_to_msg_type(const char *msg_type);
extern const char *audit_msg_type_to_name(int msg_type);


You should not have to write this function yourself since the audit libraries 
have conversion functions.

-Steve

      reply	other threads:[~2008-01-14 11:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20080112170028.73224734B4@hormel.redhat.com>
2008-01-14 11:06 ` Linux-audit Digest, Vol 40, Issue 8 kunal chandarana
2008-01-14 11:27   ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200801140627.28303.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=chandarana.kunal@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.