* Re: Linux-audit Digest, Vol 40, Issue 8
[not found] <20080112170028.73224734B4@hormel.redhat.com>
@ 2008-01-14 11:06 ` kunal chandarana
2008-01-14 11:27 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: kunal chandarana @ 2008-01-14 11:06 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 3408 bytes --]
In audit logs one field which is always present is "TYPE".
What does this type indicate ?
If this type indicates the symbolic constants which are defined in
linux/audit.h then types like USER_AUTH, USER_ACCT, CRED_ACQ etc are not
defined in that particular file.
So how to map this symbolic constants to the numeric values.
For eg.
If type=CONFIG_CHANGE then we get numeric value for type as "1305" which is
defined in file linux/audit.h
But no such values are there for type=USER_AUTH, CRED_ACQ etc.
For such type we get numeric value 1819222064. How to interpret such values.
We are adding DB support for Auditing System in which we are thinking of
creating tables on the basis of blocks of the netlink msgs which are shown
as below.
*/* The netlink messages for the audit system is divided into blocks:*
<http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L31>
* * 1000 - 1099 are for commanding the audit system (Table1)*
<http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L32>*
* 1100 - 1199 user space trusted application messages (Table2)*
<http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L33>
* * 1200 - 1299 messages internal to the audit daemon (Table3)*
34 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L34>
* * 1300 - 1399 audit event messages (Table4)*
35 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L35>
* * 1400 - 1499 SE Linux use*
36 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L36>
* * 1500 - 1599 kernel LSPP events*
37 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L37>
* * 1600 - 1699 kernel crypto events*
38 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L38>
* * 1700 - 1799 kernel anomaly records*
39 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L39>
* * 1800 - 1999 future kernel use (maybe integrity labels and related
events)*
40 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L40>
* * 2000 is for otherwise unclassified kernel audit messages (legacy)*
41 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L41>
* * 2001 - 2099 unused (kernel)*
42 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L42>
* * 2100 - 2199 user space anomaly records*
43 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L43>
* * 2200 - 2299 user space actions taken in response to anomalies*
44 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L44>
* * 2300 - 2399 user space generated LSPP events*
45 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L45>
* * 2400 - 2499 user space crypto events*
46 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L46>
* * 2500 - 2999 future user space (maybe integrity labels and related
events)*
47 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L47> * **
48 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L48>
* * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 -
2999 are*
49 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L49>
* * exclusively user space. 1300-2099 is kernel --> user space *
50 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L50>
* * communication.*
51 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L51> * */*
How to do it on the basis of type fields?
[-- Attachment #1.2: Type: text/html, Size: 4339 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Linux-audit Digest, Vol 40, Issue 8
2008-01-14 11:06 ` Linux-audit Digest, Vol 40, Issue 8 kunal chandarana
@ 2008-01-14 11:27 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2008-01-14 11:27 UTC (permalink / raw)
To: linux-audit; +Cc: kunal chandarana
On Monday 14 January 2008 06:06:33 kunal chandarana wrote:
> In audit logs one field which is always present is "TYPE".
>
> What does this type indicate ?
It signifies the record's type.
> If this type indicates the symbolic constants which are defined in
> linux/audit.h then types like USER_AUTH, USER_ACCT, CRED_ACQ etc are not
> defined in that particular file.
in audit.h, things are name spaced so they don't collide with defines
elsewhere. They all have an AUDIT_ prefix. So, if you wanted to mape them,
AUDIT_USER_LOGIN would be printed as USER_LOGIN. There is a function that
does this mapping from number to string and another string to number. From
libaudit.h:
extern int audit_name_to_msg_type(const char *msg_type);
extern const char *audit_msg_type_to_name(int msg_type);
You should not have to write this function yourself since the audit libraries
have conversion functions.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-01-14 11:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20080112170028.73224734B4@hormel.redhat.com>
2008-01-14 11:06 ` Linux-audit Digest, Vol 40, Issue 8 kunal chandarana
2008-01-14 11:27 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox