How to learn the Message type?

How to learn the Message type?

[陈洁丹]

[-- Attachment #1.1: Type: text/plain, Size: 806 bytes --]

Hello, my friends.
Every record contains a  type field.It's about the message type such as
AUDIT_AVC, AUDIT_SYSCALL and so on.
Does AVC mean  Mandatory Access Control ?

Is all the messag types listed in msg_typetab.h?
What do they mean exactly?
Where can I  get the information about them ?
I look into the _LIBAUDIT_H_ , and find this sentence
 * 1300 - 1399 audit event messages
But in this file , I find nothing about audit event message
Can anyone give me an URL or give a book for me about the  audit event
message?
Thanks a lot ^_^

                                                          Jeedan
-- 
-----------------------------
陈洁丹   北京邮电大学软件学院
地 址：  北京邮电大学学二D12寝室
邮 编：  100876
Email:   jeedan.chen@gmail.com
---------------------------------

[-- Attachment #1.2: Type: text/html, Size: 1493 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How to learn the Message type?

[Steve Grubb]

On Wednesday 30 December 2009 09:59:49 pm 陈洁丹 wrote:
> Every record contains a  type field.It's about the message type such as
> AUDIT_AVC, AUDIT_SYSCALL and so on.
> Does AVC mean  Mandatory Access Control ?

Specifically, its a SE Linux access control decision. You have to look at the 
syscall record to see if it was actually successful.

> Is all the messag types listed in msg_typetab.h?

Yes. There are a few more, but you will never see them since they are command 
types rather than events.

> What do they mean exactly?
> Where can I  get the information about them?

The header file usually has a brief 1 sentence comment about what its used for. 
You would look in 1 of 2 places:

/usr/include/linux/audit.h
/usr/include/libaudit.h

> I look into the _LIBAUDIT_H_ , and find this sentence
>  * 1300 - 1399 audit event messages
> But in this file , I find nothing about audit event message
> Can anyone give me an URL or give a book for me about the audit event
> message?

The audit events are divided into broad categories so that similar events are 
in the same range of numbers. This is what its referring to. But look at the 2 
header files and you should know more about it.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: How to learn the Message type?

[David Flatley]

[-- Attachment #1.1: Type: text/plain, Size: 203 bytes --]

     Auditd fails to start due to -D in the /etc/audit/audit.rules file on
two of my RHEL 5.3 systems.
I am using Steve Grubb's STIG audit.rules file. Did I miss something with
5.3??

David Flatley CISSP

[-- Attachment #1.2: Type: text/html, Size: 250 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How to learn the Message type?

[Steve Grubb]

On Thursday 21 January 2010 04:29:04 pm David Flatley wrote:
> Auditd fails to start due to -D in the /etc/audit/audit.rules file on
> two of my RHEL 5.3 systems.
> I am using Steve Grubb's STIG audit.rules file. Did I miss something with
> 5.3??

The very last command in that file puts the audit system in immutable mode - 
meaning you cannot change the rules without rebooting. Comment out that line 
if you want to let any changes into the audit system at any time.

-Steve

Re: How to learn the Message type?

[David Flatley]

[-- Attachment #1.1.1: Type: text/plain, Size: 1491 bytes --]


  My audit install script installs your rules file with the -e 2
uncommented so I will have to adjust the script to account for this.
    Thanks Steve

David Flatley CISSP




                                                                       
  From:       Steve Grubb <sgrubb@redhat.com>                          
                                                                       
  To:         linux-audit@redhat.com                                   
                                                                       
  Cc:         David Flatley/Burlington/IBM@IBMUS                       
                                                                       
  Date:       01/21/2010 04:50 PM                                      
                                                                       
  Subject:    Re: How to learn the Message type?                       
                                                                       





On Thursday 21 January 2010 04:29:04 pm David Flatley wrote:
> Auditd fails to start due to -D in the /etc/audit/audit.rules file on
> two of my RHEL 5.3 systems.
> I am using Steve Grubb's STIG audit.rules file. Did I miss something with
> 5.3??

The very last command in that file puts the audit system in immutable mode
-
meaning you cannot change the rules without rebooting. Comment out that
line
if you want to let any changes into the audit system at any time.

-Steve


[-- Attachment #1.1.2: Type: text/html, Size: 3266 bytes --]

[-- Attachment #1.2: graycol.gif --]
[-- Type: image/gif, Size: 105 bytes --]

[-- Attachment #1.3: ecblank.gif --]
[-- Type: image/gif, Size: 45 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How to learn the Message type?

[David Flatley]

[-- Attachment #1.1: Type: text/plain, Size: 225 bytes --]

    Steve:

    Your audit.rules file for STIG compliance is mostly geared towards RHEL
5 systems?
When I try to run it on a RHEL 4 system it complains about the filters (-k)
and other things.
   Thanks.

David Flatley CISSP

[-- Attachment #1.2: Type: text/html, Size: 288 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How to learn the Message type?

[Steve Grubb]

On Monday 25 January 2010 11:37:01 am David Flatley wrote:
>     Your audit.rules file for STIG compliance is mostly geared towards RHEL
> 5 systems?

Yes.

> When I try to run it on a RHEL 4 system it complains about the filters (-k)
> and other things.

Yes, there is that and the fact that directory auditing is not recursive and 
you cannot write fancy rules that do file system watching without naming the 
syscall. It may be possible to make some adjustments to the RHEL5 rules, but I 
don't know if you would wind up with lots of unnecessary data as a result of 
RHEL4's audit capabilities.

-Steve