Dictionary of audit records

Dictionary of audit records

[John Dennis]

Is there a dictionary of audit records which lists every audit record
and every field in that record as well as how to interpret that field?

Does the audit data follow any type of regular schema and is that
regularity enforced in any manner?
-- 
John Dennis <jdennis@redhat.com>

Re: Dictionary of audit records

[Steve Grubb]

On Thursday 16 August 2007 15:36:53 John Dennis wrote:
> Is there a dictionary of audit records which lists every audit record

Not exactly. There is a listing of every event type in the headers as well as 
when you just type "ausearch -m". But what's in each record is not in a 
released document right now.

> and every field in that record as well as how to interpret that field?

The interpretation of that field can be found in the audit parsing spec:
http://people.redhat.com/sgrubb/audit/audit-parse.txt

> Does the audit data follow any type of regular schema and is that
> regularity enforced in any manner?

It is a gentleman's agreement. I have personally reviewed and fixed all audit 
messages to make sure they are uniform except the selinux avcs. Anytime I 
suggest normalizing them, they get upset and say it will break existing 
tools. So, I have no way of making avcs follow a schema unless they want to 
change it. As for userspace, I enforce the gentlemen's agreement by the 
logging functions in libaudit.

All that's required in an audit event is: Date and time of event, type of 
event, user associated with the event, subject identity, resources involved. 
outcome, Sensitivity labels of subjects and objects. Anything else is icing 
on the cake.

-Steve