All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: How to learn the Message type?
Date: Sat, 2 Jan 2010 08:47:35 -0500	[thread overview]
Message-ID: <201001020847.35415.sgrubb@redhat.com> (raw)
In-Reply-To: <246d04460912301859x422deb03m164ee813529df94e@mail.gmail.com>

On Wednesday 30 December 2009 09:59:49 pm 陈洁丹 wrote:
> Every record contains a  type field.It's about the message type such as
> AUDIT_AVC, AUDIT_SYSCALL and so on.
> Does AVC mean  Mandatory Access Control ?

Specifically, its a SE Linux access control decision. You have to look at the 
syscall record to see if it was actually successful.

> Is all the messag types listed in msg_typetab.h?

Yes. There are a few more, but you will never see them since they are command 
types rather than events.

> What do they mean exactly?
> Where can I  get the information about them?

The header file usually has a brief 1 sentence comment about what its used for. 
You would look in 1 of 2 places:

/usr/include/linux/audit.h
/usr/include/libaudit.h

> I look into the _LIBAUDIT_H_ , and find this sentence
>  * 1300 - 1399 audit event messages
> But in this file , I find nothing about audit event message
> Can anyone give me an URL or give a book for me about the audit event
> message?

The audit events are divided into broad categories so that similar events are 
in the same range of numbers. This is what its referring to. But look at the 2 
header files and you should know more about it.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

  reply	other threads:[~2010-01-02 13:47 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-12-31  2:59 How to learn the Message type? 陈洁丹
2010-01-02 13:47 ` Steve Grubb [this message]
2010-01-21 21:29   ` David Flatley
2010-01-21 21:49     ` Steve Grubb
2010-01-22 13:48       ` David Flatley
2010-01-25 16:37       ` David Flatley
2010-01-25 16:46         ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201001020847.35415.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.