Hi,
In the process of updating the audit message type dictionary, I came
across a couple of differences I wanted to clear up.
The descriptions in the userspace header file don't obviously line up
with another source. Can I get a clarification on these two messages:
AUDIT_USER_ACCT 1101 User system access authorization
Alt: User account modification
AUDIT_USER_MGMT 1102 User account attribute change
Alt: Userspace management data
Similarly, these weren't clear to me as to whether they were active or
passive reports. Do these records say that the RESPonse happenned, or
that the RESPonse should happen?
AUDIT_RESP_ALERT 2201 Alert email was sent
AUDIT_RESP_ANOMALY 2200 Anomaly not reacted to
AUDIT_RESP_EXEC 2210 Execute a script
AUDIT_RESP_HALT 2212 take the system down
AUDIT_RESP_KILL_PROC 2202 Kill program
AUDIT_RESP_SEBOOL 2209 Set an SELinux boolean
AUDIT_RESP_SINGLE 2211 Go to single user mode
AUDIT_RESP_TERM_ACCESS 2203 Terminate session
AUDIT_RESP_TERM_LOCK 2208 Terminal was locked
In particular, does AUDIT_RESP_EXEC mean something as simple as a script
was executed in response to some detected event, or intrusion detection
program responds to a threat originating from the execution of a
program? I suspect they are all active and this EXEC one means a script
was executed in response.
Thanks!
- RGB
--
Richard Guy Briggs <[email protected]>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
