From where ANOM_MK_EXEC , ANOM_ROOT_TRANS ,comes ?

From where ANOM_MK_EXEC , ANOM_ROOT_TRANS ,comes ?

[Lev Olshvang]

Hello list


There are particularly interesting for IDS evens , like  ANOM_MK_EXEC , ANOM_ROOT_TRANS
These audit events are listed in RHEL7 Security guide.

On my Ubuntu distro they are absent on user space level /usr/include/linux/audit.h 

I have RHEL7 kernel sourcel linux-3.10.0-514.16.1.el7  which I downloaded from Centos


 ANOM_MK_EXE,  ANOM_ROOT_TRANS does not appear there, neither in include

linux-3.10.0-514.16.1.el7/include/uapi/linux/audit.h  nor in c files


Please help me to unsderstand who sends these events ?


ThanX, 
Lev

Re: From where ANOM_MK_EXEC , ANOM_ROOT_TRANS ,comes ?

[Steve Grubb]

On Saturday, May 20, 2017 9:04:37 AM EDT Lev Olshvang wrote:
> Hello list
> 
> 
> There are particularly interesting for IDS evens , like  ANOM_MK_EXEC ,

This was in the now defunct prelude plugin.

> ANOM_ROOT_TRANS These audit events are listed in RHEL7 Security guide.

Not sure where this one is. But the main thing is that the ANOM and RESP 
classes of events are for use by IDS and IPS respectively. I have been slowly 
working my way back up the stack with the aim of providing and basic IDS/IPS 
plugin that will generate all these events. I think many of ANOM ones were in 
the prelude plugin and will be used again. For now they are placeholders.

-Steve

> On my Ubuntu distro they are absent on user space level
> /usr/include/linux/audit.h
> 
> I have RHEL7 kernel sourcel linux-3.10.0-514.16.1.el7  which I downloaded
> from Centos
> 
> 
>  ANOM_MK_EXE,  ANOM_ROOT_TRANS does not appear there, neither in include
> 
> linux-3.10.0-514.16.1.el7/include/uapi/linux/audit.h  nor in c files
> 
> 
> Please help me to unsderstand who sends these events ?
> 
> 
> ThanX,
> Lev
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit