On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote: > In the process of updating the audit message type dictionary, I came > across a couple of differences I wanted to clear up. > > The descriptions in the userspace header file don't obviously line up > with another source. Can I get a clarification on these two messages: > > AUDIT_USER_ACCT 1101 User system access authorization > Alt: User account modification
This is access authorization. Authorization is different than authentication. Pam sends this event during login. > AUDIT_USER_MGMT 1102 User account attribute change > Alt: Userspace management data This is strictly user account attribute changes. This is usually sent by something like usermod of shadow-utils. > Similarly, these weren't clear to me as to whether they were active or > passive reports. Do these records say that the RESPonse happenned, or > that the RESPonse should happen? They should record what actually happened including success or not. > AUDIT_RESP_ALERT 2201 Alert email was sent > AUDIT_RESP_ANOMALY 2200 Anomaly not reacted to > AUDIT_RESP_EXEC 2210 Execute a script > AUDIT_RESP_HALT 2212 take the system down > AUDIT_RESP_KILL_PROC 2202 Kill program > AUDIT_RESP_SEBOOL 2209 Set an SELinux boolean > AUDIT_RESP_SINGLE 2211 Go to single user mode > AUDIT_RESP_TERM_ACCESS 2203 Terminate session > AUDIT_RESP_TERM_LOCK 2208 Terminal was locked > > In particular, does AUDIT_RESP_EXEC mean something as simple as a script > was executed in response to some detected event, or intrusion detection > program responds to a threat originating from the execution of a > program? It means a script was executed in response. -Steve > I suspect they are all active and this EXEC one means a script > was executed in response. > > Thanks! > > - RGB > > -- > Richard Guy Briggs <[email protected]> > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, > Red Hat Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
