From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lev Olshvang Subject: From where ANOM_MK_EXEC , ANOM_ROOT_TRANS ,comes ? Date: Sat, 20 May 2017 16:04:37 +0300 Message-ID: <691801495285477@web23m.yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9EB4F51C73 for ; Sat, 20 May 2017 13:04:43 +0000 (UTC) Received: from forward6j.cmail.yandex.net (forward6j.cmail.yandex.net [5.255.227.107]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2DF7980C0B for ; Sat, 20 May 2017 13:04:41 +0000 (UTC) Received: from mxback10o.mail.yandex.net (mxback10o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::24]) by forward6j.cmail.yandex.net (Yandex) with ESMTP id 8F0ED21650 for ; Sat, 20 May 2017 16:04:38 +0300 (MSK) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello list There are particularly interesting for IDS evens , like ANOM_MK_EXEC , ANOM_ROOT_TRANS These audit events are listed in RHEL7 Security guide. On my Ubuntu distro they are absent on user space level /usr/include/linux/audit.h I have RHEL7 kernel sourcel linux-3.10.0-514.16.1.el7 which I downloaded from Centos ANOM_MK_EXE, ANOM_ROOT_TRANS does not appear there, neither in include linux-3.10.0-514.16.1.el7/include/uapi/linux/audit.h nor in c files Please help me to unsderstand who sends these events ? ThanX, Lev