From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Definitive guide for audit message types
Date: Sat, 11 Oct 2014 18:01:52 -0400
Message-ID: <20141011180152.52f65c56@ivy-bridge>
References: <CAFftDdqFDNVBiwwTnxAGnorKpPL7cDjekxq=0jthBpU0X=SA5A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAFftDdqFDNVBiwwTnxAGnorKpPL7cDjekxq=0jthBpU0X=SA5A@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: William Roberts <bill.c.roberts@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Fri, 10 Oct 2014 09:58:48 -0700
William Roberts <bill.c.roberts@gmail.com> wrote:
> For audit log records, the type field can be something like 1400 for
> an AVC event. I know on the desktop it formats these all to the pretty
> names IIRC, however I am on Android and were not quite as advanced
> yet. Is their a definitive guide for each number what they correspond
> to besides cracking open the header files?

The kernel headers and libaudit headers are the literal definitive
source. They can be seen here:

https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/include/uapi/linux/audit.h?id=refs/tags/v3.16.5#n30

and

https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L40

-Steve