On Wednesday 30 December 2009 09:59:49 pm 陈洁丹 wrote: > Every record contains a type field.It's about the message type such as > AUDIT_AVC, AUDIT_SYSCALL and so on. > Does AVC mean Mandatory Access Control ?
Specifically, its a SE Linux access control decision. You have to look at the syscall record to see if it was actually successful. > Is all the messag types listed in msg_typetab.h? Yes. There are a few more, but you will never see them since they are command types rather than events. > What do they mean exactly? > Where can I get the information about them? The header file usually has a brief 1 sentence comment about what its used for. You would look in 1 of 2 places: /usr/include/linux/audit.h /usr/include/libaudit.h > I look into the _LIBAUDIT_H_ , and find this sentence > * 1300 - 1399 audit event messages > But in this file , I find nothing about audit event message > Can anyone give me an URL or give a book for me about the audit event > message? The audit events are divided into broad categories so that similar events are in the same range of numbers. This is what its referring to. But look at the 2 header files and you should know more about it. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
