[RFC PATCH] specs: update message dictionary with source column

[RFC PATCH] specs: update message dictionary with source column

[Richard Guy Briggs]

Add a column to indicate the source of the message, including indicating
whether or not it is related to syscalls.

Column name: SOURCE
Key:
	CTL	Control messages, usually initiated by audit daemon.
	DEP	Deprecated message types
	IND	Independent kernel message
	USR	User message
	SC	System-call related kernel message

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 specs/messages/message-dictionary.csv |  393 +++++++++++++++++----------------
 1 files changed, 197 insertions(+), 196 deletions(-)

diff --git a/specs/messages/message-dictionary.csv b/specs/messages/message-dictionary.csv
index 9831236..a0f8983 100644
--- a/specs/messages/message-dictionary.csv
+++ b/specs/messages/message-dictionary.csv
@@ -1,196 +1,197 @@
-MACRO NAME,VALUE,DESCRIPITON
-AUDIT_GET,1000,Get status
-AUDIT_SET,1001,Set status (enable/disable/auditd)
-AUDIT_LIST,1002,List syscall rules -- deprecated
-AUDIT_ADD,1003,Add syscall rule -- deprecated
-AUDIT_DEL,1004,Delete syscall rule -- deprecated
-AUDIT_USER,1005,Message from userspace -- deprecated
-AUDIT_LOGIN,1006,Define the login ID and information
-AUDIT_WATCH_INS,1007,Insert file/dir watch entry
-AUDIT_WATCH_REM,1008,Remove file/dir watch entry
-AUDIT_WATCH_LIST,1009,List all file/dir watches
-AUDIT_SIGNAL_INFO,1010,Get info about sender of signal to auditd
-AUDIT_ADD_RULE,1011,Add syscall filtering rule
-AUDIT_DEL_RULE,1012,Delete syscall filtering rule
-AUDIT_LIST_RULES,1013,List syscall filtering rules
-AUDIT_TRIM,1014,Trim junk from watched tree
-AUDIT_MAKE_EQUIV,1015,Append to watched tree
-AUDIT_TTY_GET,1016,Get TTY auditing status
-AUDIT_TTY_SET,1017,Set TTY auditing status
-AUDIT_SET_FEATURE,1018,Turn an audit feature on or off
-AUDIT_GET_FEATURE,1019,Get which features are enabled
-AUDIT_USER_AUTH,1100,User system access authentication
-AUDIT_USER_ACCT,1101,User system access authorization
-AUDIT_USER_MGMT,1102,User account attribute change
-AUDIT_CRED_ACQ,1103,User credential acquired
-AUDIT_CRED_DISP,1104,User credential disposed
-AUDIT_USER_START,1105,User session start
-AUDIT_USER_END,1106,User session end
-AUDIT_USER_AVC,1107,User space AVC (Access Vector Cache) message
-AUDIT_USER_CHAUTHTOK,1108,User account password or PIN changed
-AUDIT_USER_ERR,1109,User account state error
-AUDIT_CRED_REFR,1110,User credential refreshed
-AUDIT_USYS_CONFIG,1111,User space system config change
-AUDIT_USER_LOGIN,1112,User has logged in
-AUDIT_USER_LOGOUT,1113,User has logged out
-AUDIT_ADD_USER,1114,User account added
-AUDIT_DEL_USER,1115,User account deleted
-AUDIT_ADD_GROUP,1116,Group account added
-AUDIT_DEL_GROUP,1117,Group account deleted
-AUDIT_DAC_CHECK,1118,User space DAC check results
-AUDIT_CHGRP_ID,1119,User space group ID changed
-AUDIT_TEST,1120,Used for test success messages
-AUDIT_TRUSTED_APP,1121,Trusted app msg - freestyle text
-AUDIT_USER_SELINUX_ERR,1122,SELinux user space error
-AUDIT_USER_CMD,1123,User shell command and args
-AUDIT_USER_TTY,1124,Non-ICANON TTY input meaning
-AUDIT_CHUSER_ID,1125,Changed user ID supplemental data
-AUDIT_GRP_AUTH,1126,Authentication for group password
-AUDIT_SYSTEM_BOOT,1127,System boot
-AUDIT_SYSTEM_SHUTDOWN,1128,System shutdown
-AUDIT_SYSTEM_RUNLEVEL,1129,System runlevel change
-AUDIT_SERVICE_START,1130,Service (daemon) start
-AUDIT_SERVICE_STOP,1131,Service (daemon) stop
-AUDIT_GRP_MGMT,1132,Group account attribute was modified
-AUDIT_GRP_CHAUTHTOK,1133,Group account password or PIN changed
-AUDIT_MAC_CHECK,1134,User space MAC (Mandatory Access Control) decision results
-AUDIT_ACCT_LOCK,1135,User's account locked by admin
-AUDIT_ACCT_UNLOCK,1136,User's account unlocked by admin
-AUDIT_DAEMON_START,1200,Daemon startup record
-AUDIT_DAEMON_END,1201,Daemon normal stop record
-AUDIT_DAEMON_ABORT,1202,Daemon error stop record
-AUDIT_DAEMON_CONFIG,1203,Daemon config change
-AUDIT_DAEMON_RECONFIG,1204,Auditd should reconfigure
-AUDIT_DAEMON_ROTATE,1205,Auditd should rotate logs
-AUDIT_DAEMON_RESUME,1206,Auditd should resume logging
-AUDIT_DAEMON_ACCEPT,1207,Auditd accepted remote connection
-AUDIT_DAEMON_CLOSE,1208,Auditd closed remote connection
-AUDIT_DAEMON_ERR,1209,Auditd internal error
-AUDIT_SYSCALL,1300,System call event information
-AUDIT_FS_WATCH,1301,Deprecated
-AUDIT_PATH,1302,Filename path information
-AUDIT_IPC,1303,System call IPC (Inter-Process Communication) object
-AUDIT_SOCKETCALL,1304,System call socketcall arguments
-AUDIT_CONFIG_CHANGE,1305,Audit system configuration change
-AUDIT_SOCKADDR,1306,System call socket address argument information
-AUDIT_CWD,1307,Current working directory
-AUDIT_EXECVE,1309,Arguments supplied to the execve system call
-AUDIT_IPC_SET_PERM,1311,IPC new permissions record type
-AUDIT_MQ_OPEN,1312,POSIX MQ open record type
-AUDIT_MQ_SENDRECV,1313,POSIX MQ send/receive record type
-AUDIT_MQ_NOTIFY,1314,POSIX MQ notify record type
-AUDIT_MQ_GETSETATTR,1315,POSIX MQ get/set attribute record type
-AUDIT_KERNEL_OTHER,1316,For use by 3rd party modules
-AUDIT_FD_PAIR,1317,Information for pipe and socketpair system calls
-AUDIT_OBJ_PID,1318,ptrace target
-AUDIT_TTY,1319,Input on an administrative TTY
-AUDIT_EOE,1320,End of multi-record event
-AUDIT_BPRM_FCAPS,1321,Information about file system capabilities increasing permissions
-AUDIT_CAPSET,1322,Record showing argument to sys_capset setting process-based capabilities
-AUDIT_MMAP,1323,Mmap system call file descriptor and flags
-AUDIT_NETFILTER_PKT,1324,Packets traversing netfilter chains
-AUDIT_NETFILTER_CFG,1325,Netfilter chain modifications
-AUDIT_SECCOMP,1326,Secure Computing event
-AUDIT_PROCTITLE,1327,Process Title info
-AUDIT_FEATURE_CHANGE,1328,Audit feature changed value
-AUDIT_REPLACE,1329,Replace auditd if this probe unanswerd
-AUDIT_KERN_MODULE,1330,Kernel Module events
-AUDIT_AVC,1400,SELinux AVC (Access Vector Cache) denial or grant
-AUDIT_SELINUX_ERR,1401,Internal SELinux errors
-AUDIT_AVC_PATH,1402,"dentry, vfsmount pair from AVC"
-AUDIT_MAC_POLICY_LOAD,1403,SELinux Policy file load
-AUDIT_MAC_STATUS,1404,"SELinux mode (enforcing, permissive, off) changed"
-AUDIT_MAC_CONFIG_CHANGE,1405,SELinux Boolean value modification
-AUDIT_MAC_UNLBL_ALLOW,1406,NetLabel: allow unlabeled traffic
-AUDIT_MAC_CIPSOV4_ADD,1407,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
-AUDIT_MAC_CIPSOV4_DEL,1408,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
-AUDIT_MAC_MAP_ADD,1409,NetLabel: add LSM (Linux Security Module) domain mapping
-AUDIT_MAC_MAP_DEL,1410,NetLabel: del LSM (Linux Security Module) domain mapping
-AUDIT_MAC_IPSEC_ADDSA,1411,Not used
-AUDIT_MAC_IPSEC_DELSA,1412,Not used
-AUDIT_MAC_IPSEC_ADDSPD,1413,Not used
-AUDIT_MAC_IPSEC_DELSPD,1414,Not used
-AUDIT_MAC_IPSEC_EVENT,1415,Audit an IPsec event
-AUDIT_MAC_UNLBL_STCADD,1416,NetLabel: add a static label
-AUDIT_MAC_UNLBL_STCDEL,1417,NetLabel: del a static label
-AUDIT_MAC_CALIPSO_ADD,1418,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry
-AUDIT_MAC_CALIPSO_DEL,1419,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry
-AUDIT_AA,1500,
-AUDIT_APPARMOR_AUDIT,1501,
-AUDIT_APPARMOR_ALLOWED,1502,
-AUDIT_APPARMOR_DENIED,1503,
-AUDIT_APPARMOR_HINT,1504,
-AUDIT_APPARMOR_STATUS,1505,
-AUDIT_APPARMOR_ERROR,1506,
-AUDIT_ANOM_PROMISCUOUS,1700,Device changed promiscuous mode
-AUDIT_ANOM_ABEND,1701,Process ended abnormally
-AUDIT_ANOM_LINK,1702,Suspicious use of file links
-AUDIT_INTEGRITY_DATA,1800,Data integrity verification
-AUDIT_INTEGRITY_METADATA,1801,Metadata integrity verification
-AUDIT_INTEGRITY_STATUS,1802,Integrity enable status
-AUDIT_INTEGRITY_HASH,1803,Integrity HASH type
-AUDIT_INTEGRITY_PCR,1804,PCR (Platform Configuration Register) invalidation messages
-AUDIT_INTEGRITY_RULE,1805,Policy rule
-AUDIT_KERNEL,2000,Kernel audit status
-AUDIT_ANOM_LOGIN_FAILURES,2100,Failed login limit reached
-AUDIT_ANOM_LOGIN_TIME,2101,Login attempted at bad time
-AUDIT_ANOM_LOGIN_SESSIONS,2102,Maximum concurrent sessions reached
-AUDIT_ANOM_LOGIN_ACCT,2103,Login attempted to watched account
-AUDIT_ANOM_LOGIN_LOCATION,2104,Login from forbidden location
-AUDIT_ANOM_MAX_DAC,2105,Max DAC (Discretionary Access Control) failures reached
-AUDIT_ANOM_MAX_MAC,2106,Max MAC (Mandatory Access Control) failures reached
-AUDIT_ANOM_AMTU_FAIL,2107,AMTU (Abstract Machine Test Utility) failure
-AUDIT_ANOM_RBAC_FAIL,2108,RBAC (Role-Based Access Control) self test failure
-AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,RBAC (Role-Based Access Control) file integrity test failure
-AUDIT_ANOM_CRYPTO_FAIL,2110,Crypto system test failure
-AUDIT_ANOM_ACCESS_FS,2111,Access of file or directory ended abnormally
-AUDIT_ANOM_EXEC,2112,Execution of file ended abnormally
-AUDIT_ANOM_MK_EXEC,2113,Make an executable
-AUDIT_ANOM_ADD_ACCT,2114,Adding a user account ended abnormally
-AUDIT_ANOM_DEL_ACCT,2115,Deleting a user account ended abnormally
-AUDIT_ANOM_MOD_ACCT,2116,Changing an account ended abnormally
-AUDIT_ANOM_ROOT_TRANS,2117,User became root
-AUDIT_RESP_ANOMALY,2200,Anomaly not reacted to
-AUDIT_RESP_ALERT,2201,Alert email was sent
-AUDIT_RESP_KILL_PROC,2202,Kill program
-AUDIT_RESP_TERM_ACCESS,2203,Terminate session
-AUDIT_RESP_ACCT_REMOTE,2204,User account locked from remote access
-AUDIT_RESP_ACCT_LOCK_TIMED,2205,User account locked for time
-AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,User account unlocked from time
-AUDIT_RESP_ACCT_LOCK,2207,User account was locked
-AUDIT_RESP_TERM_LOCK,2208,Terminal was locked
-AUDIT_RESP_SEBOOL,2209,Set an SELinux boolean
-AUDIT_RESP_EXEC,2210,Execute a script
-AUDIT_RESP_SINGLE,2211,Go to single user mode
-AUDIT_RESP_HALT,2212,Take the system down
-AUDIT_USER_ROLE_CHANGE,2300,User changed to a new SELinux role
-AUDIT_ROLE_ASSIGN,2301,Administrator assigned user to SELinux role
-AUDIT_ROLE_REMOVE,2302,Administrator removed user from SELinux role
-AUDIT_LABEL_OVERRIDE,2303,Administrator is overriding a SELinux label
-AUDIT_LABEL_LEVEL_CHANGE,2304,Object level SELinux label modified
-AUDIT_USER_LABELED_EXPORT,2305,Object exported with SELinux label
-AUDIT_USER_UNLABELED_EXPORT,2306,Object exported without SELinux label
-AUDIT_DEV_ALLOC,2307,Device was allocated
-AUDIT_DEV_DEALLOC,2308,Device was deallocated
-AUDIT_FS_RELABEL,2309,Filesystem relabeled
-AUDIT_USER_MAC_POLICY_LOAD,2310,Usersapce daemon loaded SELinux policy
-AUDIT_ROLE_MODIFY,2311,Administrator modified an SELinux role
-AUDIT_USER_MAC_CONFIG_CHANGE,2312,Change made to MAC (Mandatory Access Control) policy
-AUDIT_CRYPTO_TEST_USER,2400,Cryptographic test results
-AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,Cryptographic attribute change
-AUDIT_CRYPTO_LOGIN,2402,Cryptographic officer login
-AUDIT_CRYPTO_LOGOUT,2403,Cryptographic officer logout
-AUDIT_CRYPTO_KEY_USER,2404,"Create, delete, negotiate cryptographic key identifier"
-AUDIT_CRYPTO_FAILURE_USER,2405,"Fail decrypt, encrypt or randomize operation"
-AUDIT_CRYPTO_REPLAY_USER,2406,Cryptographic replay attack detected
-AUDIT_CRYPTO_SESSION,2407,Parameters set during TLS session establishment
-AUDIT_CRYPTO_IKE_SA,2408,Parameters related to IKE SA
-AUDIT_CRYPTO_IPSEC_SA,2409,Parameters related to IPSEC SA
-AUDIT_VIRT_CONTROL,2500,"Start, Pause, Stop VM"
-AUDIT_VIRT_RESOURCE,2501,Resource assignment
-AUDIT_VIRT_MACHINE_ID,2502,Binding of label to VM
-AUDIT_VIRT_INTEGRITY_CHECK,2503,Guest integrity results
-AUDIT_VIRT_CREATE,2504,Creation of guest image
-AUDIT_VIRT_DESTROY,2505,Destruction of guest image
-AUDIT_VIRT_MIGRATE_IN,2506,Inbound guest migration info
-AUDIT_VIRT_MIGRATE_OUT,2507,Outbound guest migration info
+MACRO NAME,VALUE,SOURCE,DESCRIPITON
+AUDIT_GET,1000,CTL,Get status
+AUDIT_SET,1001,CTL,Set status (enable/disable/auditd)
+AUDIT_LIST,1002,DEP,List syscall rules -- deprecated
+AUDIT_ADD,1003,DEP,Add syscall rule -- deprecated
+AUDIT_DEL,1004,DEP,Delete syscall rule -- deprecated
+AUDIT_USER,1005,DEP,Message from userspace -- deprecated
+AUDIT_LOGIN,1006,IND,Define the login ID and information
+AUDIT_WATCH_INS,1007,DEP,Insert file/dir watch entry
+AUDIT_WATCH_REM,1008,DEP,Remove file/dir watch entry
+AUDIT_WATCH_LIST,1009,DEP,List all file/dir watches
+AUDIT_SIGNAL_INFO,1010,CTL,Get info about sender of signal to auditd
+AUDIT_ADD_RULE,1011,CTL,Add syscall filtering rule
+AUDIT_DEL_RULE,1012,CTL,Delete syscall filtering rule
+AUDIT_LIST_RULES,1013,CTL,List syscall filtering rules
+AUDIT_TRIM,1014,CTL,Trim junk from watched tree
+AUDIT_MAKE_EQUIV,1015,CTL,Append to watched tree
+AUDIT_TTY_GET,1016,CTL,Get TTY auditing status
+AUDIT_TTY_SET,1017,CTL,Set TTY auditing status
+AUDIT_SET_FEATURE,1018,CTL,Turn an audit feature on or off
+AUDIT_GET_FEATURE,1019,CTL,Get which features are enabled
+AUDIT_USER_AUTH,1100,USR,User system access authentication
+AUDIT_USER_ACCT,1101,USR,User system access authorization
+AUDIT_USER_MGMT,1102,USR,User account attribute change
+AUDIT_CRED_ACQ,1103,USR,User credential acquired
+AUDIT_CRED_DISP,1104,USR,User credential disposed
+AUDIT_USER_START,1105,USR,User session start
+AUDIT_USER_END,1106,USR,User session end
+AUDIT_USER_AVC,1107,USR,User space AVC (Access Vector Cache) message
+AUDIT_USER_CHAUTHTOK,1108,USR,User account password or PIN changed
+AUDIT_USER_ERR,1109,USR,User account state error
+AUDIT_CRED_REFR,1110,USR,User credential refreshed
+AUDIT_USYS_CONFIG,1111,USR,User space system config change
+AUDIT_USER_LOGIN,1112,USR,User has logged in
+AUDIT_USER_LOGOUT,1113,USR,User has logged out
+AUDIT_ADD_USER,1114,USR,User account added
+AUDIT_DEL_USER,1115,USR,User account deleted
+AUDIT_ADD_GROUP,1116,USR,Group account added
+AUDIT_DEL_GROUP,1117,USR,Group account deleted
+AUDIT_DAC_CHECK,1118,USR,User space DAC check results
+AUDIT_CHGRP_ID,1119,USR,User space group ID changed
+AUDIT_TEST,1120,USR,Used for test success messages
+AUDIT_TRUSTED_APP,1121,USR,Trusted app msg - freestyle text
+AUDIT_USER_SELINUX_ERR,1122,USR,SELinux user space error
+AUDIT_USER_CMD,1123,USR,User shell command and args
+AUDIT_USER_TTY,1124,USR,Non-ICANON TTY input meaning
+AUDIT_CHUSER_ID,1125,USR,Changed user ID supplemental data
+AUDIT_GRP_AUTH,1126,USR,Authentication for group password
+AUDIT_SYSTEM_BOOT,1127,USR,System boot
+AUDIT_SYSTEM_SHUTDOWN,1128,USR,System shutdown
+AUDIT_SYSTEM_RUNLEVEL,1129,USR,System runlevel change
+AUDIT_SERVICE_START,1130,USR,Service (daemon) start
+AUDIT_SERVICE_STOP,1131,USR,Service (daemon) stop
+AUDIT_GRP_MGMT,1132,USR,Group account attribute was modified
+AUDIT_GRP_CHAUTHTOK,1133,USR,Group account password or PIN changed
+AUDIT_MAC_CHECK,1134,USR,User space MAC (Mandatory Access Control) decision results
+AUDIT_ACCT_LOCK,1135,USR,User's account locked by admin
+AUDIT_ACCT_UNLOCK,1136,USR,User's account unlocked by admin
+AUDIT_DAEMON_START,1200,USR,Daemon startup record
+AUDIT_DAEMON_END,1201,USR,Daemon normal stop record
+AUDIT_DAEMON_ABORT,1202,USR,Daemon error stop record
+AUDIT_DAEMON_CONFIG,1203,USR,Daemon config change
+AUDIT_DAEMON_RECONFIG,1204,USR,Auditd should reconfigure
+AUDIT_DAEMON_ROTATE,1205,USR,Auditd should rotate logs
+AUDIT_DAEMON_RESUME,1206,USR,Auditd should resume logging
+AUDIT_DAEMON_ACCEPT,1207,USR,Auditd accepted remote connection
+AUDIT_DAEMON_CLOSE,1208,USR,Auditd closed remote connection
+AUDIT_DAEMON_ERR,1209,USR,Auditd internal error
+AUDIT_SYSCALL,1300,SC,System call event information
+AUDIT_FS_WATCH,1301,DEP,Deprecated
+AUDIT_PATH,1302,SC,Filename path information
+AUDIT_IPC,1303,SC,System call IPC (Inter-Process Communication) object
+AUDIT_SOCKETCALL,1304,SC,System call socketcall arguments
+AUDIT_CONFIG_CHANGE,1305,IND,Audit system configuration change
+AUDIT_SOCKADDR,1306,SC,System call socket address argument information
+AUDIT_CWD,1307,SC,Current working directory
+AUDIT_EXECVE,1309,SC,Arguments supplied to the execve system call
+AUDIT_IPC_SET_PERM,1311,SC,IPC new permissions record type
+AUDIT_MQ_OPEN,1312,SC,POSIX MQ open record type
+AUDIT_MQ_SENDRECV,1313,SC,POSIX MQ send/receive record type
+AUDIT_MQ_NOTIFY,1314,SC,POSIX MQ notify record type
+AUDIT_MQ_GETSETATTR,1315,SC,POSIX MQ get/set attribute record type
+AUDIT_KERNEL_OTHER,1316,IND,For use by 3rd party modules
+AUDIT_FD_PAIR,1317,SC,Information for pipe and socketpair system calls
+AUDIT_OBJ_PID,1318,SC,ptrace target
+AUDIT_TTY,1319,IND,Input on an administrative TTY
+AUDIT_EOE,1320,CTL,End of multi-record event
+AUDIT_BPRM_FCAPS,1321,SC,Information about file system capabilities increasing permissions
+AUDIT_CAPSET,1322,SC,Record showing argument to sys_capset setting process-based capabilities
+AUDIT_MMAP,1323,SC,Mmap system call file descriptor and flags
+AUDIT_NETFILTER_PKT,1324,IND,Packets traversing netfilter chains
+AUDIT_NETFILTER_CFG,1325,IND/SC,Netfilter chain modifications
+AUDIT_SECCOMP,1326,IND,Secure Computing event
+AUDIT_PROCTITLE,1327,SC,Process Title info
+AUDIT_FEATURE_CHANGE,1328,IND,Audit feature changed value
+AUDIT_REPLACE,1329,CTL,Replace auditd if this probe unanswerd
+AUDIT_KERN_MODULE,1330,SC,Kernel Module events
+AUDIT_AVC,1400,SC,SELinux AVC (Access Vector Cache) denial or grant
+AUDIT_SELINUX_ERR,1401,SC,Internal SELinux errors
+AUDIT_AVC_PATH,1402,SC,"dentry, vfsmount pair from AVC"
+AUDIT_MAC_POLICY_LOAD,1403,SC,SELinux Policy file load
+AUDIT_MAC_STATUS,1404,SC,"SELinux mode (enforcing, permissive, off) changed"
+AUDIT_MAC_CONFIG_CHANGE,1405,SC,SELinux Boolean value modification
+AUDIT_MAC_UNLBL_ALLOW,1406,SC,NetLabel: allow unlabeled traffic
+AUDIT_MAC_CIPSOV4_ADD,1407,SC,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
+AUDIT_MAC_CIPSOV4_DEL,1408,SC,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
+AUDIT_MAC_MAP_ADD,1409,SC,NetLabel: add LSM (Linux Security Module) domain mapping
+AUDIT_MAC_MAP_DEL,1410,SC,NetLabel: del LSM (Linux Security Module) domain mapping
+AUDIT_MAC_IPSEC_ADDSA,1411,DEP,Not used
+AUDIT_MAC_IPSEC_DELSA,1412,DEP,Not used
+AUDIT_MAC_IPSEC_ADDSPD,1413,DEP,Not used
+AUDIT_MAC_IPSEC_DELSPD,1414,DEP,Not used
+AUDIT_MAC_IPSEC_EVENT,1415,SC,Audit an IPsec event
+AUDIT_MAC_UNLBL_STCADD,1416,SC,NetLabel: add a static label
+AUDIT_MAC_UNLBL_STCDEL,1417,SC,NetLabel: del a static label
+AUDIT_MAC_CALIPSO_ADD,1418,SC,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry
+AUDIT_MAC_CALIPSO_DEL,1419,SC,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry
+AUDIT_AA,1500,,
+AUDIT_APPARMOR_AUDIT,1501,SC,
+AUDIT_APPARMOR_ALLOWED,1502,SC,
+AUDIT_APPARMOR_DENIED,1503,SC,
+AUDIT_APPARMOR_HINT,1504,SC,
+AUDIT_APPARMOR_STATUS,1505,SC,
+AUDIT_APPARMOR_ERROR,1506,SC,
+AUDIT_APPARMOR_KILL,enum1507,SC,
+AUDIT_ANOM_PROMISCUOUS,1700,SC/IND,Device changed promiscuous mode
+AUDIT_ANOM_ABEND,1701,IND,Process ended abnormally
+AUDIT_ANOM_LINK,1702,SC?,Suspicious use of file links
+AUDIT_INTEGRITY_DATA,1800,SC,Data integrity verification
+AUDIT_INTEGRITY_METADATA,1801,SC,Metadata integrity verification
+AUDIT_INTEGRITY_STATUS,1802,SC,Integrity enable status
+AUDIT_INTEGRITY_HASH,1803,SC,Integrity HASH type
+AUDIT_INTEGRITY_PCR,1804,SC,PCR (Platform Configuration Register) invalidation messages
+AUDIT_INTEGRITY_RULE,1805,SC/IND,Policy rule
+AUDIT_KERNEL,2000,IND,Kernel audit status
+AUDIT_ANOM_LOGIN_FAILURES,2100,USR,Failed login limit reached
+AUDIT_ANOM_LOGIN_TIME,2101,USR,Login attempted at bad time
+AUDIT_ANOM_LOGIN_SESSIONS,2102,USR,Maximum concurrent sessions reached
+AUDIT_ANOM_LOGIN_ACCT,2103,USR,Login attempted to watched account
+AUDIT_ANOM_LOGIN_LOCATION,2104,USR,Login from forbidden location
+AUDIT_ANOM_MAX_DAC,2105,USR,Max DAC (Discretionary Access Control) failures reached
+AUDIT_ANOM_MAX_MAC,2106,USR,Max MAC (Mandatory Access Control) failures reached
+AUDIT_ANOM_AMTU_FAIL,2107,USR,AMTU (Abstract Machine Test Utility) failure
+AUDIT_ANOM_RBAC_FAIL,2108,USR,RBAC (Role-Based Access Control) self test failure
+AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,USR,RBAC (Role-Based Access Control) file integrity test failure
+AUDIT_ANOM_CRYPTO_FAIL,2110,USR,Crypto system test failure
+AUDIT_ANOM_ACCESS_FS,2111,USR,Access of file or directory ended abnormally
+AUDIT_ANOM_EXEC,2112,USR,Execution of file ended abnormally
+AUDIT_ANOM_MK_EXEC,2113,USR,Make an executable
+AUDIT_ANOM_ADD_ACCT,2114,USR,Adding a user account ended abnormally
+AUDIT_ANOM_DEL_ACCT,2115,USR,Deleting a user account ended abnormally
+AUDIT_ANOM_MOD_ACCT,2116,USR,Changing an account ended abnormally
+AUDIT_ANOM_ROOT_TRANS,2117,USR,User became root
+AUDIT_RESP_ANOMALY,2200,USR,Anomaly not reacted to
+AUDIT_RESP_ALERT,2201,USR,Alert email was sent
+AUDIT_RESP_KILL_PROC,2202,USR,Kill program
+AUDIT_RESP_TERM_ACCESS,2203,USR,Terminate session
+AUDIT_RESP_ACCT_REMOTE,2204,USR,User account locked from remote access
+AUDIT_RESP_ACCT_LOCK_TIMED,2205,USR,User account locked for time
+AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,USR,User account unlocked from time
+AUDIT_RESP_ACCT_LOCK,2207,USR,User account was locked
+AUDIT_RESP_TERM_LOCK,2208,USR,Terminal was locked
+AUDIT_RESP_SEBOOL,2209,USR,Set an SELinux boolean
+AUDIT_RESP_EXEC,2210,USR,Execute a script
+AUDIT_RESP_SINGLE,2211,USR,Go to single user mode
+AUDIT_RESP_HALT,2212,USR,Take the system down
+AUDIT_USER_ROLE_CHANGE,2300,USR,User changed to a new SELinux role
+AUDIT_ROLE_ASSIGN,2301,USR,Administrator assigned user to SELinux role
+AUDIT_ROLE_REMOVE,2302,USR,Administrator removed user from SELinux role
+AUDIT_LABEL_OVERRIDE,2303,USR,Administrator is overriding a SELinux label
+AUDIT_LABEL_LEVEL_CHANGE,2304,USR,Object level SELinux label modified
+AUDIT_USER_LABELED_EXPORT,2305,USR,Object exported with SELinux label
+AUDIT_USER_UNLABELED_EXPORT,2306,USR,Object exported without SELinux label
+AUDIT_DEV_ALLOC,2307,USR,Device was allocated
+AUDIT_DEV_DEALLOC,2308,USR,Device was deallocated
+AUDIT_FS_RELABEL,2309,USR,Filesystem relabeled
+AUDIT_USER_MAC_POLICY_LOAD,2310,USR,Usersapce daemon loaded SELinux policy
+AUDIT_ROLE_MODIFY,2311,USR,Administrator modified an SELinux role
+AUDIT_USER_MAC_CONFIG_CHANGE,2312,USR,Change made to MAC (Mandatory Access Control) policy
+AUDIT_CRYPTO_TEST_USER,2400,USR,Cryptographic test results
+AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,USR,Cryptographic attribute change
+AUDIT_CRYPTO_LOGIN,2402,USR,Cryptographic officer login
+AUDIT_CRYPTO_LOGOUT,2403,USR,Cryptographic officer logout
+AUDIT_CRYPTO_KEY_USER,2404,USR,"Create, delete, negotiate cryptographic key identifier"
+AUDIT_CRYPTO_FAILURE_USER,2405,USR,"Fail decrypt, encrypt or randomize operation"
+AUDIT_CRYPTO_REPLAY_USER,2406,USR,Cryptographic replay attack detected
+AUDIT_CRYPTO_SESSION,2407,USR,Parameters set during TLS session establishment
+AUDIT_CRYPTO_IKE_SA,2408,USR,Parameters related to IKE SA
+AUDIT_CRYPTO_IPSEC_SA,2409,USR,Parameters related to IPSEC SA
+AUDIT_VIRT_CONTROL,2500,USR,"Start, Pause, Stop VM"
+AUDIT_VIRT_RESOURCE,2501,USR,Resource assignment
+AUDIT_VIRT_MACHINE_ID,2502,USR,Binding of label to VM
+AUDIT_VIRT_INTEGRITY_CHECK,2503,USR,Guest integrity results
+AUDIT_VIRT_CREATE,2504,USR,Creation of guest image
+AUDIT_VIRT_DESTROY,2505,USR,Destruction of guest image
+AUDIT_VIRT_MIGRATE_IN,2506,USR,Inbound guest migration info
+AUDIT_VIRT_MIGRATE_OUT,2507,USR,Outbound guest migration info
-- 
1.7.1

Re: [RFC PATCH] specs: update message dictionary with source column

[Steve Grubb]

On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
> Add a column to indicate the source of the message, including indicating
> whether or not it is related to syscalls.
> 
> Column name: SOURCE
> Key:
>         CTL     Control messages, usually initiated by audit daemon.

Most of these come from auditctl. Auditd only sends enable and setpid.

>         DEP     Deprecated message types
>         IND     Independent kernel message
>         USR     User message
>         SC      System-call related kernel message

I think that doing it like this is conflating 2 ideas: origin and class. 
Origin is user space or kernel. The record class is ctl, dep, simple, and 
compound events. There are some cases where things could be user space and 
deprecated, or kernel and deprecated. And by its nature, all user space 
originating records are simple.

To me, there are overlaps in the meaning. If they were split, this would make 
subsetting easier. For example, I can do a join of this csv file and the audit 
logs in csv to create an enhanced dataframe. Then I can subset on user 
records.

-Steve

Re: [RFC PATCH] specs: update message dictionary with source column

[Richard Guy Briggs]

On 2017-07-24 11:52, Steve Grubb wrote:
> On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
> > Add a column to indicate the source of the message, including indicating
> > whether or not it is related to syscalls.
> > 
> > Column name: SOURCE
> > Key:
> >         CTL     Control messages, usually initiated by audit daemon.
> 
> Most of these come from auditctl. Auditd only sends enable and setpid.

I had considered auditctl as part of the audit daemon, as opposed to
pam, systemd, vsftpd et al that supply user event messages, though I
suppose even systemd wants to play audit controller too.  I consider
AUDIT_EOE a control message even though it isn't in the 1000-block,
speaking of which I'd also added the list of message type ranges:
	https://github.com/linux-audit/audit-documentation/blob/master/specs/messages/message-dictionary-ranges.txt.

> >         DEP     Deprecated message types
> >         IND     Independent kernel message
> >         USR     User message
> >         SC      System-call related kernel message
> 
> I think that doing it like this is conflating 2 ideas: origin and class. 
> Origin is user space or kernel. The record class is ctl, dep, simple, and 
> compound events. There are some cases where things could be user space and 
> deprecated, or kernel and deprecated. And by its nature, all user space 
> originating records are simple.

It makes sense to talk of *records* as originating from kernel or
userspace, but this list also includes all message types including
control messages that may initiate in userspace, but trigger a reply of
the same message type from the kernel.

Thank you for acknowledging the assertion from another channel that all
user space records are simple.

At this point, I don't think we care about the origin of deprecated
messages, so it isn't worth complicating our nomenclature for this one
case, and that can be addressed with uDEP and kDEP or somesuch.

Can you name any compound events that are not related to a system call?
I chose the label "SC" to denote either the syscall record itself or
any of its auxilliary records.  I've also been trying to understand and
clean up any records that are used as auxilliary records so that they do
not appear as standalone records (such as ghak25/ghak35).

> To me, there are overlaps in the meaning. If they were split, this would make 
> subsetting easier. For example, I can do a join of this csv file and the audit 
> logs in csv to create an enhanced dataframe. Then I can subset on user 
> records.

I'm not totally opposed to separating the two columns, but would like a
reasonable justification for doing so to avoid needlessly cluttering the
document.

> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [RFC PATCH] specs: update message dictionary with source column

[Paul Moore]

On Mon, Jul 24, 2017 at 11:48 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2017-07-24 11:52, Steve Grubb wrote:
>> On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
>> > Add a column to indicate the source of the message, including indicating
>> > whether or not it is related to syscalls.
>> >
>> > Column name: SOURCE
>> > Key:
>> >         CTL     Control messages, usually initiated by audit daemon.
>>
>> Most of these come from auditctl. Auditd only sends enable and setpid.
>
> I had considered auditctl as part of the audit daemon, as opposed to
> pam, systemd, vsftpd et al that supply user event messages, though I
> suppose even systemd wants to play audit controller too ...

I think trying to chase down which application is trying to manage the
audit subsystem is a losing battle.  In fact, I honestly would
probably shrink this "source" list down to just a few possible values:
kernel, userspace, and control.  I'm not convinced that granularity
below this level is particularly useful, and could be confusing.

-- 
paul moore
www.paul-moore.com

Re: [RFC PATCH] specs: update message dictionary with source column

[Richard Guy Briggs]

On 2017-07-25 14:14, Paul Moore wrote:
> On Mon, Jul 24, 2017 at 11:48 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-07-24 11:52, Steve Grubb wrote:
> >> On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
> >> > Add a column to indicate the source of the message, including indicating
> >> > whether or not it is related to syscalls.
> >> >
> >> > Column name: SOURCE
> >> > Key:
> >> >         CTL     Control messages, usually initiated by audit daemon.
> >>
> >> Most of these come from auditctl. Auditd only sends enable and setpid.
> >
> > I had considered auditctl as part of the audit daemon, as opposed to
> > pam, systemd, vsftpd et al that supply user event messages, though I
> > suppose even systemd wants to play audit controller too ...
> 
> I think trying to chase down which application is trying to manage the
> audit subsystem is a losing battle.  In fact, I honestly would
> probably shrink this "source" list down to just a few possible values:
> kernel, userspace, and control.  I'm not convinced that granularity
> below this level is particularly useful, and could be confusing.

So I'm guessing from this comment that you think one column is
sufficient?  I'd really like to further break "kernel" down into
"syscall" and "independent/autonomous".

> paul moore

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [RFC PATCH] specs: update message dictionary with source column

[Paul Moore]

On Tue, Jul 25, 2017 at 10:51 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2017-07-25 14:14, Paul Moore wrote:
>> On Mon, Jul 24, 2017 at 11:48 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> > On 2017-07-24 11:52, Steve Grubb wrote:
>> >> On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
>> >> > Add a column to indicate the source of the message, including indicating
>> >> > whether or not it is related to syscalls.
>> >> >
>> >> > Column name: SOURCE
>> >> > Key:
>> >> >         CTL     Control messages, usually initiated by audit daemon.
>> >>
>> >> Most of these come from auditctl. Auditd only sends enable and setpid.
>> >
>> > I had considered auditctl as part of the audit daemon, as opposed to
>> > pam, systemd, vsftpd et al that supply user event messages, though I
>> > suppose even systemd wants to play audit controller too ...
>>
>> I think trying to chase down which application is trying to manage the
>> audit subsystem is a losing battle.  In fact, I honestly would
>> probably shrink this "source" list down to just a few possible values:
>> kernel, userspace, and control.  I'm not convinced that granularity
>> below this level is particularly useful, and could be confusing.
>
> So I'm guessing from this comment that you think one column is sufficient?

To specify the source, yes.  If you want to classify the messages that
is best done in a second column, IMHO.

> I'd really like to further break "kernel" down into "syscall" and "independent/autonomous".

Two thoughts:

1) Is this important?  I know this is front in your mind as you are
dealing with issues around this at the moment, but outside of your
recent experience I don't see a lot of value in this information, only
overhead in keeping it updated/correct.

2) Is this "source" information?  I would argue "no" as they all come
from the kernel.  *If* you feel this is truly important (see thought
#1) then I would rather see this in a separate column.

-- 
paul moore
www.paul-moore.com

Re: [RFC PATCH] specs: update message dictionary with source column

[Steve Grubb]

On Wednesday, July 26, 2017 6:36:24 PM EDT Paul Moore wrote:
> On Tue, Jul 25, 2017 at 10:51 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-07-25 14:14, Paul Moore wrote:
> >> On Mon, Jul 24, 2017 at 11:48 PM, Richard Guy Briggs <rgb@redhat.com> 
wrote:
> >> > On 2017-07-24 11:52, Steve Grubb wrote:
> >> >> On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
> >> >> > Add a column to indicate the source of the message, including
> >> >> > indicating
> >> >> > whether or not it is related to syscalls.
> >> >> > 
> >> >> > Column name: SOURCE
> >> >> > 
> >> >> > Key:
> >> >> >         CTL     Control messages, usually initiated by audit daemon.
> >> >> 
> >> >> Most of these come from auditctl. Auditd only sends enable and setpid.
> >> > 
> >> > I had considered auditctl as part of the audit daemon, as opposed to
> >> > pam, systemd, vsftpd et al that supply user event messages, though I
> >> > suppose even systemd wants to play audit controller too ...
> >> 
> >> I think trying to chase down which application is trying to manage the
> >> audit subsystem is a losing battle.  In fact, I honestly would
> >> probably shrink this "source" list down to just a few possible values:
> >> kernel, userspace, and control.  I'm not convinced that granularity
> >> below this level is particularly useful, and could be confusing.
> > 
> > So I'm guessing from this comment that you think one column is sufficient?
> 
> To specify the source, yes.  If you want to classify the messages that
> is best done in a second column, IMHO.
> 
> > I'd really like to further break "kernel" down into "syscall" and
> > "independent/autonomous".
> Two thoughts:
> 
> 1) Is this important?  I know this is front in your mind as you are
> dealing with issues around this at the moment, but outside of your
> recent experience I don't see a lot of value in this information, only
> overhead in keeping it updated/correct.

Origination information can be useful. I'd be happy to blog about it to show 
people how to use it.

> 2) Is this "source" information?  I would argue "no" as they all come
> from the kernel.  *If* you feel this is truly important (see thought
> #1) then I would rather see this in a separate column.

They really don't all come from the kernel. They are serialized by the kernel. 
They go through the kernel. But the kernel is not always the _observer_ of an 
action that needs reporting.

-Steve

Re: [RFC PATCH] specs: update message dictionary with source column

[Paul Moore]

On Wed, Jul 26, 2017 at 11:08 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday, July 26, 2017 6:36:24 PM EDT Paul Moore wrote:
>> On Tue, Jul 25, 2017 at 10:51 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> > On 2017-07-25 14:14, Paul Moore wrote:
>> >> On Mon, Jul 24, 2017 at 11:48 PM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
>> >> > On 2017-07-24 11:52, Steve Grubb wrote:
>> >> >> On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
>> >> >> > Add a column to indicate the source of the message, including
>> >> >> > indicating
>> >> >> > whether or not it is related to syscalls.
>> >> >> >
>> >> >> > Column name: SOURCE
>> >> >> >
>> >> >> > Key:
>> >> >> >         CTL     Control messages, usually initiated by audit daemon.
>> >> >>
>> >> >> Most of these come from auditctl. Auditd only sends enable and setpid.
>> >> >
>> >> > I had considered auditctl as part of the audit daemon, as opposed to
>> >> > pam, systemd, vsftpd et al that supply user event messages, though I
>> >> > suppose even systemd wants to play audit controller too ...
>> >>
>> >> I think trying to chase down which application is trying to manage the
>> >> audit subsystem is a losing battle.  In fact, I honestly would
>> >> probably shrink this "source" list down to just a few possible values:
>> >> kernel, userspace, and control.  I'm not convinced that granularity
>> >> below this level is particularly useful, and could be confusing.
>> >
>> > So I'm guessing from this comment that you think one column is sufficient?
>>
>> To specify the source, yes.  If you want to classify the messages that
>> is best done in a second column, IMHO.
>>
>> > I'd really like to further break "kernel" down into "syscall" and
>> > "independent/autonomous".
>> Two thoughts:
>>
>> 1) Is this important?  I know this is front in your mind as you are
>> dealing with issues around this at the moment, but outside of your
>> recent experience I don't see a lot of value in this information, only
>> overhead in keeping it updated/correct.
>
> Origination information can be useful. I'd be happy to blog about it to show
> people how to use it.

I agree that origination/source is important, see my comments above.
I'm less convinced about differentiating between records that are
attached to a syscall event, and those that happen independent of
syscalls.

>> 2) Is this "source" information?  I would argue "no" as they all come
>> from the kernel.  *If* you feel this is truly important (see thought
>> #1) then I would rather see this in a separate column.
>
> They really don't all come from the kernel. They are serialized by the kernel.
> They go through the kernel. But the kernel is not always the _observer_ of an
> action that needs reporting.

Regardless of what triggers the event, if the audit record is
*created* by the kernel, I would consider the kernel to be the source.

-- 
paul moore
www.paul-moore.com