On 2017-07-13 17:02, Steve Grubb wrote: > On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote: > > In the process of updating the audit message type dictionary, I came > > across a couple of differences I wanted to clear up. > > > > The descriptions in the userspace header file don't obviously line up > > with another source. Can I get a clarification on these two messages: > > > > AUDIT_USER_ACCT 1101 User system access authorization > > Alt: User account modification > > This is access authorization. Authorization is different than authentication. > Pam sends this event during login.
Ok, I'll update the "alt" text, since it is clearly wrong. > > AUDIT_USER_MGMT 1102 User account attribute change > > Alt: Userspace management data > > This is strictly user account attribute changes. This is usually sent by > something like usermod of shadow-utils. Ok, again, I'll update the "alt" text, since it is a bit vague. > > Similarly, these weren't clear to me as to whether they were active or > > passive reports. Do these records say that the RESPonse happenned, or > > that the RESPonse should happen? > > They should record what actually happened including success or not. Ok, so active. > > AUDIT_RESP_ALERT 2201 Alert email was sent > > AUDIT_RESP_ANOMALY 2200 Anomaly not reacted to > > AUDIT_RESP_EXEC 2210 Execute a script > > AUDIT_RESP_HALT 2212 take the system down > > AUDIT_RESP_KILL_PROC 2202 Kill program > > AUDIT_RESP_SEBOOL 2209 Set an SELinux boolean > > AUDIT_RESP_SINGLE 2211 Go to single user mode > > AUDIT_RESP_TERM_ACCESS 2203 Terminate session > > AUDIT_RESP_TERM_LOCK 2208 Terminal was locked > > > > In particular, does AUDIT_RESP_EXEC mean something as simple as a script > > was executed in response to some detected event, or intrusion detection > > program responds to a threat originating from the execution of a > > program? > > It means a script was executed in response. Ok, good, thanks. > -Steve > > > I suspect they are all active and this EXEC one means a script > > was executed in response. > > > > Thanks! > > > > - RGB - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
