On Fri, Mar 10, 2023 at 9:36 AM Steve Grubb <sgr...@redhat.com> wrote: > > On Thursday, March 9, 2023 5:52:28 PM EST Bruce Elrick wrote: > > Anyway, I think I need to spend some time playing until that "aha!" > > moment comes. It's feels a lot closer thanks to both of your responses > > and I really apprecaite the time you've taken to read my emails and > > respond to them. > > There are simple events which are one line and compound events which are > multiple lines - called records. The simple events tend to be hardwired and > not optional. For example, logins are hardwired; kernel config changes are > hardwired; authentication is hardwired.
Reading Steve's response I'm not sure we use the same terminology, or perhaps we explain it a bit differently. Regardless, here is a quick definition that I stick to when discussing audit: "audit record": An audit record is a single line in the audit log that consists of a timestamp, record type (type=XXX), and a series of fields which are dependent on the record type. Here is an example of a SYSCALL record: type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) : arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd exe=/usr/lib/systemd/systemd subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) "audit event": An audit event consists of multiple audit records grouped together by a single timestamp. Single record audit events are allowed and do exist. There is no upper bound on the number of records allowed in an audit event. Here is an example of an audit event consisting of PROCTITLE, SYSCALL, and BPF audit records: type=PROCTITLE msg=audit(03/10/2023 10:59:00.797:563) : proctitle=(systemd) type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) : arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd exe=/usr/lib/systemd/systemd subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=BPF msg=audit(03/10/2023 10:59:00.797:563) : prog-id=172 op=LOAD I hope that helps. -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
