How do I get complete list of audit event types

How do I get complete list of audit event types

[Satish Chandra Kilaru]

[-- Attachment #1.1: Type: text/plain, Size: 179 bytes --]

Hi

I want to understand the logs in /var/log/audit/audit.log. Where can I get
complete list of audit event types and what they mean?

--Satish
Please Donate to www.wikipedia.org

[-- Attachment #1.2: Type: text/html, Size: 293 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How do I get complete list of audit event types

[Steve Grubb]

On Tuesday, April 08, 2014 10:53:40 AM Satish Chandra Kilaru wrote:
> Hi
> 
> I want to understand the logs in /var/log/audit/audit.log. Where can I get
> complete list of audit event types 

ausearch -m help 2>&1 | tr ' ' '\n' | egrep '^[A-Z]' | egrep -v 'ALL|Valid' | sort

> and what they mean?

Each event type has some comment in the header files /usr/include/libaudit.h
and /usr/include/linux/audit.h. There is also some documentation here:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html

And I want to think some other distros have docs as well.

-Steve

Re: How do I get complete list of audit event types

[Satish Chandra Kilaru]

[-- Attachment #1.1: Type: text/plain, Size: 817 bytes --]

Thank you.


On Tue, Apr 8, 2014 at 4:41 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Tuesday, April 08, 2014 10:53:40 AM Satish Chandra Kilaru wrote:
> > Hi
> >
> > I want to understand the logs in /var/log/audit/audit.log. Where can I
> get
> > complete list of audit event types
>
> ausearch -m help 2>&1 | tr ' ' '\n' | egrep '^[A-Z]' | egrep -v
> 'ALL|Valid' | sort
>
> > and what they mean?
>
> Each event type has some comment in the header files
> /usr/include/libaudit.h
> and /usr/include/linux/audit.h. There is also some documentation here:
>
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html
>
> And I want to think some other distros have docs as well.
>
> -Steve
>



-- 
Please Donate to www.wikipedia.org

[-- Attachment #1.2: Type: text/html, Size: 1535 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How do I get complete list of audit event types

[Satish Chandra Kilaru]

[-- Attachment #1.1: Type: text/plain, Size: 8486 bytes --]

Someone might look for this info in the future...

AUDIT_ADD_GROUP   " User space group added "
AUDIT_ADD_USER   " User space user account added "
AUDIT_ANOM_ABEND   " Process ended abnormally "
AUDIT_ANOM_ACCESS_FS   Access of file or dir
AUDIT_ANOM_ADD_ACCT   Adding an acct
AUDIT_ANOM_AMTU_FAIL   AMTU failure
AUDIT_ANOM_CRYPTO_FAIL   Crypto system test failure
AUDIT_ANOM_DEL_ACCT   Deleting an acct
AUDIT_ANOM_EXEC   Execution of file
AUDIT_ANOM_LOGIN_ACCT   Login attempted to watched acct
AUDIT_ANOM_LOGIN_FAILURES   Failed login limit reached
AUDIT_ANOM_LOGIN_LOCATION   Login from forbidden location
AUDIT_ANOM_LOGIN_SESSIONS   Max concurrent sessions reached
AUDIT_ANOM_LOGIN_TIME   Login attempted at bad time
AUDIT_ANOM_MAX_DAC   Max DAC failures reached
AUDIT_ANOM_MAX_MAC   Max MAC failures reached
AUDIT_ANOM_MK_EXEC   Make an executable
AUDIT_ANOM_MOD_ACCT   Changing an acct
AUDIT_ANOM_PROMISCUOUS   " Device changed promiscuous mode "
AUDIT_ANOM_RBAC_FAIL   RBAC self test failure
AUDIT_ANOM_RBAC_INTEGRITY_FAIL   RBAC file integrity failure
AUDIT_ANOM_ROOT_TRANS   User became root
AUDIT_AVC   " SE Linux avc denial or grant "
AUDIT_AVC_PATH   " dentry, vfsmount pair from avc "
AUDIT_BPRM_FCAPS   " Information about fcaps increasing perms "
AUDIT_CAPSET   " Record showing argument to sys_capset "
AUDIT_CHGRP_ID   " User space group ID changed "
AUDIT_CHUSER_ID   " Changed user ID supplemental data "
AUDIT_CONFIG_CHANGE   " Audit system configuration change "
AUDIT_CRED_ACQ   " User space credential acquired "
AUDIT_CRED_DISP   " User space credential disposed "
AUDIT_CRED_REFR   " User space credential refreshed "
AUDIT_CRYPTO_FAILURE_USER   " Fail decrypt,encrypt,randomiz "
AUDIT_CRYPTO_KEY_USER   " Create,delete,negotiate "
AUDIT_CRYPTO_LOGIN   " Logged in as crypto officer "
AUDIT_CRYPTO_LOGOUT   " Logged out from crypto "
AUDIT_CRYPTO_PARAM_CHANGE_USER   " Crypto attribute change "
AUDIT_CRYPTO_REPLAY_USER   " Crypto replay detected "
AUDIT_CRYPTO_SESSION   " Record parameters set during
AUDIT_CRYPTO_TEST_USER   " Crypto test results "
AUDIT_CWD   " Current working directory "
AUDIT_DAC_CHECK   " User space DAC check results "
AUDIT_DAEMON_ABORT   " Daemon error stop record "
AUDIT_DAEMON_ACCEPT   " Auditd accepted remote connection "
AUDIT_DAEMON_CLOSE   " Auditd closed remote connection "
AUDIT_DAEMON_CONFIG   " Daemon config change "
AUDIT_DAEMON_END   " Daemon normal stop record "
AUDIT_DAEMON_RESUME   " Auditd should resume logging "
AUDIT_DAEMON_ROTATE   " Auditd should rotate logs "
AUDIT_DAEMON_START   " Daemon startup record "
AUDIT_DEL_GROUP   " User space group deleted "
AUDIT_DEL_USER   " User space user account deleted "
AUDIT_EOE   " End of multi-record event "
AUDIT_EXECVE   " execve arguments "
AUDIT_FD_PAIR   " audit record for pipe
AUDIT_FS_RELABEL   " Filesystem relabeled "
AUDIT_GRP_AUTH   " Authentication for group password "
AUDIT_INTEGRITY_DATA   #ifndef AUDIT_INTEGRITY_DATA " Data integrity
verification " " Data integrity verification "
AUDIT_INTEGRITY_HASH   " Integrity HASH type " " Integrity HASH type "
AUDIT_INTEGRITY_METADATA   " Metadata integrity verification "
AUDIT_INTEGRITY_PCR   " PCR invalidation msgs " " PCR invalidation msgs "
AUDIT_INTEGRITY_RULE   " Policy rule " " policy rule "
AUDIT_INTEGRITY_STATUS   " Integrity enable status " " Integrity enable
status "
AUDIT_IPC   " IPC record "
AUDIT_IPC_SET_PERM   " IPC new permissions record type "
AUDIT_KERNEL   " Asynchronous audit record. NOT A REQUEST. "
AUDIT_KERNEL_OTHER   " For use by 3rd party modules "
AUDIT_LABEL_LEVEL_CHANGE   " Object's level was changed "
AUDIT_LABEL_OVERRIDE   " Admin is overriding a label "
AUDIT_LOGIN   " Define the login id and information "
AUDIT_MAC_CIPSOV4_ADD   " NetLabel: add CIPSOv4 DOI entry "
AUDIT_MAC_CIPSOV4_DEL   " NetLabel: del CIPSOv4 DOI entry "
AUDIT_MAC_CONFIG_CHANGE   " Changes to booleans "
AUDIT_MAC_IPSEC_ADDSA   " Not used "
AUDIT_MAC_IPSEC_ADDSPD   " Not used "
AUDIT_MAC_IPSEC_DELSA   " Not used "
AUDIT_MAC_IPSEC_DELSPD   " Not used "
AUDIT_MAC_IPSEC_EVENT   " Audit an IPSec event "
AUDIT_MAC_MAP_ADD   " NetLabel: add LSM domain mapping "
AUDIT_MAC_MAP_DEL   " NetLabel: del LSM domain mapping "
AUDIT_MAC_POLICY_LOAD   " Policy file load "
AUDIT_MAC_STATUS   " Changed enforcing,permissive,off "
AUDIT_MAC_UNLBL_STCADD   " NetLabel: add a static label "
AUDIT_MAC_UNLBL_STCDEL   " NetLabel: del a static label "
AUDIT_MMAP   #ifndef AUDIT_MMAP " Descriptor and flags in mmap " " Record
showing descriptor and flags in mmap "
AUDIT_MQ_GETSETATTR   " POSIX MQ get
AUDIT_MQ_NOTIFY   " POSIX MQ notify record type "
AUDIT_MQ_OPEN   " POSIX MQ open record type "
AUDIT_MQ_SENDRECV   " POSIX MQ send
AUDIT_NETFILTER_CFG   #ifndef AUDIT_NETFILTER_CFG " Netfilter chain
modifications " " Netfilter chain modifications "
AUDIT_NETFILTER_PKT   #ifndef AUDIT_NETFILTER_PKT " Packets traversing
netfilter chains " " Packets traversing netfilter chains "
AUDIT_OBJ_PID   " ptrace target "
AUDIT_PATH   " Filename path information "
AUDIT_RESP_ACCT_LOCK   " User acct was locked "
AUDIT_RESP_ACCT_LOCK_TIMED   " User acct locked for time "
AUDIT_RESP_ACCT_REMOTE   " Acct locked from remote access"
AUDIT_RESP_ACCT_UNLOCK_TIMED   " User acct unlocked from time "
AUDIT_RESP_ALERT   " Alert email was sent "
AUDIT_RESP_ANOMALY   " Anomaly not reacted to "
AUDIT_RESP_EXEC   " Execute a script "
AUDIT_RESP_HALT   " take the system down "
AUDIT_RESP_KILL_PROC   " Kill program "
AUDIT_RESP_SEBOOL   " Set an SE Linux boolean "
AUDIT_RESP_SINGLE   " Go to single user mode "
AUDIT_RESP_TERM_ACCESS   " Terminate session "
AUDIT_RESP_TERM_LOCK   " Terminal was locked "
AUDIT_ROLE_ASSIGN   " Admin assigned user to role "
AUDIT_ROLE_MODIFY   " Admin modified a role "
AUDIT_ROLE_REMOVE   " Admin removed user from role "
AUDIT_SELINUX_ERR   " Internal SE Linux Errors "
AUDIT_SERVICE_START   " Service (daemon) start "
AUDIT_SERVICE_STOP   " Service (daemon) stop "
AUDIT_SOCKADDR   " sockaddr copied as syscall arg "
AUDIT_SYSTEM_BOOT   " System boot "
AUDIT_SYSTEM_RUNLEVEL   " System runlevel change "
AUDIT_SYSTEM_SHUTDOWN   " System shutdown "
AUDIT_TEST   " Used for test success messages "
AUDIT_TRUSTED_APP   " Trusted app msg - freestyle text "
AUDIT_TTY   " Input on an administrative TTY "
AUDIT_USER   " Message from userspace -- deprecated "
AUDIT_USER_ACCT   " User space acct change "
AUDIT_USER_AUTH   " User space authentication "
AUDIT_USER_AVC   " User space avc message " " We filter this differently "
AUDIT_USER_CHAUTHTOK   " User space acct attr changed "
AUDIT_USER_CMD   " User shell command and args "
AUDIT_USER_END   " User space session end "
AUDIT_USER_ERR   " User space acct state err "
AUDIT_USER_LABELED_EXPORT   " Object exported with label "
AUDIT_USER_LOGIN   " User space user has logged in "
AUDIT_USER_LOGOUT   " User space user has logged out "
AUDIT_USER_MAC_POLICY_LOAD   " Userspc daemon loaded policy "
AUDIT_USER_MGMT   " User space acct management "
AUDIT_USER_ROLE_CHANGE   " User changed to a new role "
AUDIT_USER_SELINUX_ERR   " SE Linux user space error "
AUDIT_USER_START   " User space session start "
AUDIT_USER_TTY   " Non-ICANON TTY input meaning " " Non-ICANON TTY input
meaning "
AUDIT_USER_UNLABELED_EXPORT   " Object exported without label "
AUDIT_USYS_CONFIG   " User space system config change "
AUDIT_VIRT_CONTROL   " Start, Pause, Stop VM "
AUDIT_VIRT_MACHINE_ID   " Binding of label to VM "
AUDIT_VIRT_RESOURCE   " Resource assignment "


On Tue, Apr 8, 2014 at 4:47 PM, Satish Chandra Kilaru
<iam.kilaru@gmail.com>wrote:

> Thank you.
>
>
> On Tue, Apr 8, 2014 at 4:41 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Tuesday, April 08, 2014 10:53:40 AM Satish Chandra Kilaru wrote:
>> > Hi
>> >
>> > I want to understand the logs in /var/log/audit/audit.log. Where can I
>> get
>> > complete list of audit event types
>>
>> ausearch -m help 2>&1 | tr ' ' '\n' | egrep '^[A-Z]' | egrep -v
>> 'ALL|Valid' | sort
>>
>> > and what they mean?
>>
>> Each event type has some comment in the header files
>> /usr/include/libaudit.h
>> and /usr/include/linux/audit.h. There is also some documentation here:
>>
>>
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html
>>
>> And I want to think some other distros have docs as well.
>>
>> -Steve
>>
>
>
>
> --
> Please Donate to www.wikipedia.org
>



-- 
Please Donate to www.wikipedia.org

[-- Attachment #1.2: Type: text/html, Size: 12440 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How do I get complete list of audit event types

[lists_todd]

[-- Attachment #1.1: Type: text/plain, Size: 325 bytes --]

On Apr 9, 2014, at 8:24 AM, Satish Chandra Kilaru <iam.kilaru@gmail.com> wrote:

> Someone might look for this info in the future...
> 
> AUDIT_ADD_GROUP   " User space group added "
> AUDIT_ADD_USER   " User space user account added "
> AUDIT_ANOM_ABEND   " Process ended abnormally “
> ...


Thanks!!!

Todd


[-- Attachment #1.2: Type: text/html, Size: 671 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How do I get complete list of audit event types

[Richard Guy Briggs]

On 2014-04-09 09:23, lists_todd@mac.com wrote:
> On Apr 9, 2014, at 8:24 AM, Satish Chandra Kilaru <iam.kilaru@gmail.com> wrote:
> 
> > Someone might look for this info in the future...
> > 
> > AUDIT_ADD_GROUP   " User space group added "
> > AUDIT_ADD_USER   " User space user account added "
> > AUDIT_ANOM_ABEND   " Process ended abnormally “
> > ...
> 
> Thanks!!!

This thread is a little stale, but here's a list that is being updated:

	https://github.com/linux-audit/audit-documentation/blob/master/specs/messages/message-dictionary.csv

> Todd

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit