Someone might look for this info in the future... AUDIT_ADD_GROUP " User space group added " AUDIT_ADD_USER " User space user account added " AUDIT_ANOM_ABEND " Process ended abnormally " AUDIT_ANOM_ACCESS_FS Access of file or dir AUDIT_ANOM_ADD_ACCT Adding an acct AUDIT_ANOM_AMTU_FAIL AMTU failure AUDIT_ANOM_CRYPTO_FAIL Crypto system test failure AUDIT_ANOM_DEL_ACCT Deleting an acct AUDIT_ANOM_EXEC Execution of file AUDIT_ANOM_LOGIN_ACCT Login attempted to watched acct AUDIT_ANOM_LOGIN_FAILURES Failed login limit reached AUDIT_ANOM_LOGIN_LOCATION Login from forbidden location AUDIT_ANOM_LOGIN_SESSIONS Max concurrent sessions reached AUDIT_ANOM_LOGIN_TIME Login attempted at bad time AUDIT_ANOM_MAX_DAC Max DAC failures reached AUDIT_ANOM_MAX_MAC Max MAC failures reached AUDIT_ANOM_MK_EXEC Make an executable AUDIT_ANOM_MOD_ACCT Changing an acct AUDIT_ANOM_PROMISCUOUS " Device changed promiscuous mode " AUDIT_ANOM_RBAC_FAIL RBAC self test failure AUDIT_ANOM_RBAC_INTEGRITY_FAIL RBAC file integrity failure AUDIT_ANOM_ROOT_TRANS User became root AUDIT_AVC " SE Linux avc denial or grant " AUDIT_AVC_PATH " dentry, vfsmount pair from avc " AUDIT_BPRM_FCAPS " Information about fcaps increasing perms " AUDIT_CAPSET " Record showing argument to sys_capset " AUDIT_CHGRP_ID " User space group ID changed " AUDIT_CHUSER_ID " Changed user ID supplemental data " AUDIT_CONFIG_CHANGE " Audit system configuration change " AUDIT_CRED_ACQ " User space credential acquired " AUDIT_CRED_DISP " User space credential disposed " AUDIT_CRED_REFR " User space credential refreshed " AUDIT_CRYPTO_FAILURE_USER " Fail decrypt,encrypt,randomiz " AUDIT_CRYPTO_KEY_USER " Create,delete,negotiate " AUDIT_CRYPTO_LOGIN " Logged in as crypto officer " AUDIT_CRYPTO_LOGOUT " Logged out from crypto " AUDIT_CRYPTO_PARAM_CHANGE_USER " Crypto attribute change " AUDIT_CRYPTO_REPLAY_USER " Crypto replay detected " AUDIT_CRYPTO_SESSION " Record parameters set during AUDIT_CRYPTO_TEST_USER " Crypto test results " AUDIT_CWD " Current working directory " AUDIT_DAC_CHECK " User space DAC check results " AUDIT_DAEMON_ABORT " Daemon error stop record " AUDIT_DAEMON_ACCEPT " Auditd accepted remote connection " AUDIT_DAEMON_CLOSE " Auditd closed remote connection " AUDIT_DAEMON_CONFIG " Daemon config change " AUDIT_DAEMON_END " Daemon normal stop record " AUDIT_DAEMON_RESUME " Auditd should resume logging " AUDIT_DAEMON_ROTATE " Auditd should rotate logs " AUDIT_DAEMON_START " Daemon startup record " AUDIT_DEL_GROUP " User space group deleted " AUDIT_DEL_USER " User space user account deleted " AUDIT_EOE " End of multi-record event " AUDIT_EXECVE " execve arguments " AUDIT_FD_PAIR " audit record for pipe AUDIT_FS_RELABEL " Filesystem relabeled " AUDIT_GRP_AUTH " Authentication for group password " AUDIT_INTEGRITY_DATA #ifndef AUDIT_INTEGRITY_DATA " Data integrity verification " " Data integrity verification " AUDIT_INTEGRITY_HASH " Integrity HASH type " " Integrity HASH type " AUDIT_INTEGRITY_METADATA " Metadata integrity verification " AUDIT_INTEGRITY_PCR " PCR invalidation msgs " " PCR invalidation msgs " AUDIT_INTEGRITY_RULE " Policy rule " " policy rule " AUDIT_INTEGRITY_STATUS " Integrity enable status " " Integrity enable status " AUDIT_IPC " IPC record " AUDIT_IPC_SET_PERM " IPC new permissions record type " AUDIT_KERNEL " Asynchronous audit record. NOT A REQUEST. " AUDIT_KERNEL_OTHER " For use by 3rd party modules " AUDIT_LABEL_LEVEL_CHANGE " Object's level was changed " AUDIT_LABEL_OVERRIDE " Admin is overriding a label " AUDIT_LOGIN " Define the login id and information " AUDIT_MAC_CIPSOV4_ADD " NetLabel: add CIPSOv4 DOI entry " AUDIT_MAC_CIPSOV4_DEL " NetLabel: del CIPSOv4 DOI entry " AUDIT_MAC_CONFIG_CHANGE " Changes to booleans " AUDIT_MAC_IPSEC_ADDSA " Not used " AUDIT_MAC_IPSEC_ADDSPD " Not used " AUDIT_MAC_IPSEC_DELSA " Not used " AUDIT_MAC_IPSEC_DELSPD " Not used " AUDIT_MAC_IPSEC_EVENT " Audit an IPSec event " AUDIT_MAC_MAP_ADD " NetLabel: add LSM domain mapping " AUDIT_MAC_MAP_DEL " NetLabel: del LSM domain mapping " AUDIT_MAC_POLICY_LOAD " Policy file load " AUDIT_MAC_STATUS " Changed enforcing,permissive,off " AUDIT_MAC_UNLBL_STCADD " NetLabel: add a static label " AUDIT_MAC_UNLBL_STCDEL " NetLabel: del a static label " AUDIT_MMAP #ifndef AUDIT_MMAP " Descriptor and flags in mmap " " Record showing descriptor and flags in mmap " AUDIT_MQ_GETSETATTR " POSIX MQ get AUDIT_MQ_NOTIFY " POSIX MQ notify record type " AUDIT_MQ_OPEN " POSIX MQ open record type " AUDIT_MQ_SENDRECV " POSIX MQ send AUDIT_NETFILTER_CFG #ifndef AUDIT_NETFILTER_CFG " Netfilter chain modifications " " Netfilter chain modifications " AUDIT_NETFILTER_PKT #ifndef AUDIT_NETFILTER_PKT " Packets traversing netfilter chains " " Packets traversing netfilter chains " AUDIT_OBJ_PID " ptrace target " AUDIT_PATH " Filename path information " AUDIT_RESP_ACCT_LOCK " User acct was locked " AUDIT_RESP_ACCT_LOCK_TIMED " User acct locked for time " AUDIT_RESP_ACCT_REMOTE " Acct locked from remote access" AUDIT_RESP_ACCT_UNLOCK_TIMED " User acct unlocked from time " AUDIT_RESP_ALERT " Alert email was sent " AUDIT_RESP_ANOMALY " Anomaly not reacted to " AUDIT_RESP_EXEC " Execute a script " AUDIT_RESP_HALT " take the system down " AUDIT_RESP_KILL_PROC " Kill program " AUDIT_RESP_SEBOOL " Set an SE Linux boolean " AUDIT_RESP_SINGLE " Go to single user mode " AUDIT_RESP_TERM_ACCESS " Terminate session " AUDIT_RESP_TERM_LOCK " Terminal was locked " AUDIT_ROLE_ASSIGN " Admin assigned user to role " AUDIT_ROLE_MODIFY " Admin modified a role " AUDIT_ROLE_REMOVE " Admin removed user from role " AUDIT_SELINUX_ERR " Internal SE Linux Errors " AUDIT_SERVICE_START " Service (daemon) start " AUDIT_SERVICE_STOP " Service (daemon) stop " AUDIT_SOCKADDR " sockaddr copied as syscall arg " AUDIT_SYSTEM_BOOT " System boot " AUDIT_SYSTEM_RUNLEVEL " System runlevel change " AUDIT_SYSTEM_SHUTDOWN " System shutdown " AUDIT_TEST " Used for test success messages " AUDIT_TRUSTED_APP " Trusted app msg - freestyle text " AUDIT_TTY " Input on an administrative TTY " AUDIT_USER " Message from userspace -- deprecated " AUDIT_USER_ACCT " User space acct change " AUDIT_USER_AUTH " User space authentication " AUDIT_USER_AVC " User space avc message " " We filter this differently " AUDIT_USER_CHAUTHTOK " User space acct attr changed " AUDIT_USER_CMD " User shell command and args " AUDIT_USER_END " User space session end " AUDIT_USER_ERR " User space acct state err " AUDIT_USER_LABELED_EXPORT " Object exported with label " AUDIT_USER_LOGIN " User space user has logged in " AUDIT_USER_LOGOUT " User space user has logged out " AUDIT_USER_MAC_POLICY_LOAD " Userspc daemon loaded policy " AUDIT_USER_MGMT " User space acct management " AUDIT_USER_ROLE_CHANGE " User changed to a new role " AUDIT_USER_SELINUX_ERR " SE Linux user space error " AUDIT_USER_START " User space session start " AUDIT_USER_TTY " Non-ICANON TTY input meaning " " Non-ICANON TTY input meaning " AUDIT_USER_UNLABELED_EXPORT " Object exported without label " AUDIT_USYS_CONFIG " User space system config change " AUDIT_VIRT_CONTROL " Start, Pause, Stop VM " AUDIT_VIRT_MACHINE_ID " Binding of label to VM " AUDIT_VIRT_RESOURCE " Resource assignment "
On Tue, Apr 8, 2014 at 4:47 PM, Satish Chandra Kilaru <[email protected]>wrote: > Thank you. > > > On Tue, Apr 8, 2014 at 4:41 PM, Steve Grubb <[email protected]> wrote: > >> On Tuesday, April 08, 2014 10:53:40 AM Satish Chandra Kilaru wrote: >> > Hi >> > >> > I want to understand the logs in /var/log/audit/audit.log. Where can I >> get >> > complete list of audit event types >> >> ausearch -m help 2>&1 | tr ' ' '\n' | egrep '^[A-Z]' | egrep -v >> 'ALL|Valid' | sort >> >> > and what they mean? >> >> Each event type has some comment in the header files >> /usr/include/libaudit.h >> and /usr/include/linux/audit.h. There is also some documentation here: >> >> >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html >> >> And I want to think some other distros have docs as well. >> >> -Steve >> > > > > -- > Please Donate to www.wikipedia.org > -- Please Donate to www.wikipedia.org
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
