From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Dictionary of audit records
Date: Thu, 16 Aug 2007 15:57:29 -0400 [thread overview]
Message-ID: <200708161557.30030.sgrubb@redhat.com> (raw)
In-Reply-To: <1187293013.28040.96.camel@finch.boston.redhat.com>
On Thursday 16 August 2007 15:36:53 John Dennis wrote:
> Is there a dictionary of audit records which lists every audit record
Not exactly. There is a listing of every event type in the headers as well as
when you just type "ausearch -m". But what's in each record is not in a
released document right now.
> and every field in that record as well as how to interpret that field?
The interpretation of that field can be found in the audit parsing spec:
http://people.redhat.com/sgrubb/audit/audit-parse.txt
> Does the audit data follow any type of regular schema and is that
> regularity enforced in any manner?
It is a gentleman's agreement. I have personally reviewed and fixed all audit
messages to make sure they are uniform except the selinux avcs. Anytime I
suggest normalizing them, they get upset and say it will break existing
tools. So, I have no way of making avcs follow a schema unless they want to
change it. As for userspace, I enforce the gentlemen's agreement by the
logging functions in libaudit.
All that's required in an audit event is: Date and time of event, type of
event, user associated with the event, subject identity, resources involved.
outcome, Sensitivity labels of subjects and objects. Anything else is icing
on the cake.
-Steve
prev parent reply other threads:[~2007-08-16 19:57 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-16 19:36 Dictionary of audit records John Dennis
2007-08-16 19:57 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200708161557.30030.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox