From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: From where ANOM_MK_EXEC , ANOM_ROOT_TRANS ,comes ?
Date: Sat, 20 May 2017 20:20:42 -0400 [thread overview]
Message-ID: <2542742.DZjTTirffX@x2> (raw)
In-Reply-To: <691801495285477@web23m.yandex.ru>
On Saturday, May 20, 2017 9:04:37 AM EDT Lev Olshvang wrote:
> Hello list
>
>
> There are particularly interesting for IDS evens , like ANOM_MK_EXEC ,
This was in the now defunct prelude plugin.
> ANOM_ROOT_TRANS These audit events are listed in RHEL7 Security guide.
Not sure where this one is. But the main thing is that the ANOM and RESP
classes of events are for use by IDS and IPS respectively. I have been slowly
working my way back up the stack with the aim of providing and basic IDS/IPS
plugin that will generate all these events. I think many of ANOM ones were in
the prelude plugin and will be used again. For now they are placeholders.
-Steve
> On my Ubuntu distro they are absent on user space level
> /usr/include/linux/audit.h
>
> I have RHEL7 kernel sourcel linux-3.10.0-514.16.1.el7 which I downloaded
> from Centos
>
>
> ANOM_MK_EXE, ANOM_ROOT_TRANS does not appear there, neither in include
>
> linux-3.10.0-514.16.1.el7/include/uapi/linux/audit.h nor in c files
>
>
> Please help me to unsderstand who sends these events ?
>
>
> ThanX,
> Lev
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2017-05-21 0:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-20 13:04 From where ANOM_MK_EXEC , ANOM_ROOT_TRANS ,comes ? Lev Olshvang
2017-05-21 0:20 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2542742.DZjTTirffX@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.