From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rbriggs@redhat.com>
Subject: Re: message type dictionary clarifications
Date: Thu, 13 Jul 2017 17:02:22 -0400 [thread overview]
Message-ID: <1649623.6v19s9fGL4@x2> (raw)
In-Reply-To: <20170713205104.GJ17720@madcap2.tricolour.ca>
On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote:
> In the process of updating the audit message type dictionary, I came
> across a couple of differences I wanted to clear up.
>
> The descriptions in the userspace header file don't obviously line up
> with another source. Can I get a clarification on these two messages:
>
> AUDIT_USER_ACCT 1101 User system access authorization
> Alt: User account modification
This is access authorization. Authorization is different than authentication.
Pam sends this event during login.
> AUDIT_USER_MGMT 1102 User account attribute change
> Alt: Userspace management data
This is strictly user account attribute changes. This is usually sent by
something like usermod of shadow-utils.
> Similarly, these weren't clear to me as to whether they were active or
> passive reports. Do these records say that the RESPonse happenned, or
> that the RESPonse should happen?
They should record what actually happened including success or not.
> AUDIT_RESP_ALERT 2201 Alert email was sent
> AUDIT_RESP_ANOMALY 2200 Anomaly not reacted to
> AUDIT_RESP_EXEC 2210 Execute a script
> AUDIT_RESP_HALT 2212 take the system down
> AUDIT_RESP_KILL_PROC 2202 Kill program
> AUDIT_RESP_SEBOOL 2209 Set an SELinux boolean
> AUDIT_RESP_SINGLE 2211 Go to single user mode
> AUDIT_RESP_TERM_ACCESS 2203 Terminate session
> AUDIT_RESP_TERM_LOCK 2208 Terminal was locked
>
> In particular, does AUDIT_RESP_EXEC mean something as simple as a script
> was executed in response to some detected event, or intrusion detection
> program responds to a threat originating from the execution of a
> program?
It means a script was executed in response.
-Steve
> I suspect they are all active and this EXEC one means a script
> was executed in response.
>
> Thanks!
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
> Red Hat Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2017-07-13 21:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-13 20:51 message type dictionary clarifications Richard Guy Briggs
2017-07-13 21:02 ` Steve Grubb [this message]
2017-07-13 23:48 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1649623.6v19s9fGL4@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rbriggs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox